Re: And So It Begins - Payback is a bitch
I see alot of remarks here who regard the ICO as toothless. Perhaps before May 25th 2018 but after that date, less so.
Article 58 covers the powers bestowed upon the "Supervisory Authority" (ICO) and now can:
"obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law."
"...to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;"
(ref: https://gdpr-info.eu/art-58-gdpr )
The second of the points above is a bigger deal as the ICO can "order" them to comply. Related is Article 32 which is a key provision, as it covers "Security of Processing" which carries the burden of providing assurance of the CIA triad. I'm sure it'd be a major hassle if the regulator is breathing down your neck and publishing at the same time any (lack of) progress.
I can almost hear the people in the back row saying "yeah, yeah but it's never been tested in court, blah blah". True. Equally, the ICO will be keen to be seen as being able to flex it's muscles after it's relatively weak fine on FB.
That said, there's alot of unjustified glee about the potential fines.
Whilst it's true that it can be 2% or 4% etc, it also needs to be "effective, proportionate and dissuasive."
The operative word here is proportionate since it needs to take into account "the intentional or negligent character of the infringement" (Article 83).
If BA can show that they've had an ongoing programme of security audits, risk assessments and/or pen tests, then, I can see them arguing the toss and get away without a "total b*tchslap". At the same time, there's still sufficient scope for it to hurt.