kyle - 5 months ago I bet most people were not expecting an airline to be the first to be fined for GDPR violations in the U.K. by the ICO. From what I have read the breach was mostly due to their own incompetence so it was probably justified. That said, I would be cautious about fining companies for data breaches in general.
We want companies to come forward with information about their own data breaches as soon as possible, so we should try to avoid punishing them for doing so. story