GDPR, PCI DSS and non-material damages all might cost British Airways dear

Or any other personal data breach for that matter.

The very recent £183 million fine imposed on British Airways for their data breach has brought to light an issue with the GDPR and how to go about enforcing it.

Reading the articles in the news you might think that no real harm was done, well you would be wrong, for one these criminal gangs don’t set up these sophisticated attacks without working out how to capitalise on their investment. Almost certainly the financial element of this breach is likely to see some fraudulent card transactions taking place.

Fortunately, you as a customer are generally protected from this type of fraud and should not suffer any material damage as a result of BA allowing your card details to be stolen. You will get your money back and your card company will send you a new card and you are all secure again.

But hold on that’s not the end of the story…….

Can you change your name, what about your logon details and password, your address, can any of those be so easily changed?

Those details along with financial information and card details provide a significant amount of detail to anyone contemplating identify theft. And let’s face it you just can’t change some of that stuff easily and of the things you can change it’s a hassle right.

But what can you do about it, you haven’t suffered any direct hardship, or prove how much hassle it’s been for you because of BA’s less than secure security?

The GDPR is very specific when it comes to data breaches. The regulation says this;

Article 82 Right to compensation and liability

1. Any person who has suffered material or non-materialdamage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. 

And what does non-material mean;

This means compensation for inconvenience, distress and annoyance associated with the data leak.

For most people the hassle of bringing a non-material damages claim against a data controller is just that hassle, however in the case of BA, SPG Law is bringing a class action against BA. You can read more detail about it here.

Or go direct to SPG Law here


Whilst BA is going to have to cough up a substantial part of that £183 million, assuming they get a reduction during an appeal process, it’s still a lot less than it should have been and not the end of the story for BA.

GDPR is one aspect but you can expect the Card Schemes, Visa, Mastercard, American Express etc., to be levying their own fines. When you compromise 380,000 card payments, the PCI DSS fines could also be quite large.

Let’s assume 90% of the 380,000 card transactions were unique cards. 

Using those figures to illustrate the example:

  • Cards compromised = 342,000
  • Fines per card for PAN and CVV = €18 (based on VISA card brach fines)
  • 342,000 * €18 = €6,156,000 plus the cost of the investigation and a €3000 case fee

And what could the total cost for BA look like.

€183m for GDPR
€6m for PCI DSS
€684m for non-material damages (342,000 individuals * €2000 compensation) plus court costs (as per SPG website information)

€5-10m to bolster their security practices (guesstimate)

That’s a whacking great total of €883m euros or £800m GBP

If only they had spent a mere fraction of that on better security and specialist advice then they might still have been breached but at least they might have detected it quicker and shut it down sooner.

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with PCI DSS or GDPR then please contact us at or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

This image has an empty alt attribute; its file name is GDPR-Auditing-Registered.png

© GDPR Auditing 2019.