A short administrative note for the file. British Airways has filed its appeal against the £183 million Notice of Intent issued by the ICO in July (BA legal filing reported in Reuters). The proceedings are now in the formal representation phase; the final fine, if and when it lands, is on the 12-18 month timeline I noted in July. The Marriott case is on the same track and at the same stage.
The customer-organisation conversations continue to use the NoI figures rather than the eventual final figures as the planning basis for risk assessment. The reduction-on-representation is likely but not guaranteed and is, in any case, not material to the strategic conclusion: GDPR enforcement at scale is real, the figures are large enough to drive board-level engagement, and the customer-organisation programmes that have invested in attestable compliance posture have a defensible position.
I will write a longer post when the final-fine determination lands, which will likely be in mid-2020. The interim period is, for the customer briefings, operationally settled — the planning has been done and the programmes are in execution.
The shorter format on this entry is deliberate. There is little to add operationally. The blog discipline of writing notes contemporaneously means recording when there is no substantive update is, sometimes, the right entry.