What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All enforcement actions

GDPRTravel

British Airways — £20M GDPR fine (2020)

Magecart-style skimmer on payment page — 429K records exposed

Penalty

£20M

Regulator

UK ICO

Jurisdiction

United Kingdom

Records affected

429K

What happened

Attackers injected a Magecart credit-card skimmer onto ba.com and the mobile app payment flow, exfiltrating cardholder + personal data of ~429K customers. The ICO's final penalty (reduced from an initial £183M proposed) cited insufficient security measures including missing MFA and weak network segmentation.

Root cause

Third-party script (Modernizr) modified to skim card data
No MFA on Citrix remote-access account used by attacker
Weak Content Security Policy — no allow-list for payment-page scripts

What every team should do

Enforce a strict Content Security Policy (CSP) on payment + checkout pages
Subresource Integrity (SRI) hashes for every third-party script on cardholder-data pages
MFA on EVERY remote-access account (not just admin) — and rotate via PAM
PCI DSS v4.0.1 Req 6.4.3 + 11.6.1 now mandate this for all card-acceptance pages from Mar 2025

Source: ICO monetary penalty notice (Oct 16, 2020).

Would your controls have stopped this?

ComplianceIQ audits your existing policies in 60 seconds and shows you exactly which GDPR controls you are missing — mapped to enforcement patterns like this one.

Run my GDPR audit Generate missing policies

British Airways — £20M GDPR fine (2020)

What happened

Root cause

What every team should do

Related enforcement actions