Three years of GDPR: the biggest fines so far
Since its launch, hundreds of millions of euros worth of fines have been handed out by information commissioners around Europe.
Offences have included retailers misrepresenting the way they use CCTV cameras to monitor employees, and companies not complying with the "right to be forgotten" law.
The legislation replaced older data protection laws, and while it was drafted in Europe, regulators can fine organisations anywhere in the world which target or collect data in the EU.
Alex Cruz, the airline's chairman and chief executive, said it was "surprised and disappointed" in the ICO's initial findings.
"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft, he said.
British hotel chain Marriott International was fined in 2018 in relation to a hack dating back to 2014, but not uncovered until four years later.
