British Airways (BA) is facing a record £183.39 million ($230 million) fine over a 2018 security breach that compromised the personal data of roughly 500,000 customers.

The U.K. Information Commissioner’s Office (ICO) said it has “issued a notice of its intention” to levy the gargantuan fine against BA, which now has 28 days to appeal before the ICO settles on a final figure.

The breach, which the ICO said it believes started back in June 2018 — some three months before it was eventually reported — was the result of “poor security arrangements,” according to a statement. A fraudulent website set up by an unknown third party to receive redirected BA traffic reportedly harvested personal data such as login information, payment card details, names, addresses, and travel booking details.

Record fine

GDPR regulations, which require companies to report data breaches to the appropriate European authorities within 72 hours of discovery, stipulate that local data protection agencies across the EU bloc can fine companies up to 4% of their total annual revenue. As BA earned around £12.2 billion ($15 billion) last year, the proposed ICO fine equates to around 1.5% of BA’s 2017 income — considerably less than the maximum.

That said, the BA fine is still by far the largest to result from the GDPR regulations, which went into effect last year. While a number of fines have already been issued under GDPR, they have mostly been in the tens or hundreds of thousands of euros — with one notable exception. Google was hit with a €50 million ($57 million) fine by French data privacy body CNIL back in January over a “lack of transparency” and “inadequate information” about how ads are personalized for each user. It’s worth noting that Facebook was also slapped with a £500,000 ($644,000) fine over the Cambridge Analytica episode; however, that was under the pre-GDPR regulations that were in place at the time.

“People’s personal data is just that — personal,” stated U.K. information commissioner Elizabeth Denham. “When an organization fails to protect [that data] from loss, damage, or theft, it is more than an inconvenience. That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO said BA has “made improvements to its security arrangements” since the incident was reported.

GDPR has been a headache for many companies, with some online properties, such as newspapers, electing to go offline in Europe rather than face potentially huge fines. But the regulations are designed to tighten the scope of data protection laws across the EU and ensure internet users have the control mechanisms to manage their data — and that there are sufficient punishments in place for companies that contravene the laws. To aid with GDPR compliance, Google shifted control of its European data from the U.S. to Ireland.

As a result of GDPR and similar regulations around the world, a number of startups are pushing to capitalize on the growing demand for data sovereignty and privacy tools. Privitar, for example, recently raised $40 million for a platform that helps enterprises engineer privacy protection into projects that may contain sensitive data. Elsewhere, InCountry launched with $7 million in funding to help multinational companies store customer data locally.