Disclaimer: The advice provided here are our own interpretations and opinions. We have tried to simplify the main points of GDPR to create this guide but for more in-depth information please read the official ICO guidance.
The EU General Data Protection Regulation (GDPR) will be enforced on May 25th, 2018.
The new regulations aim to give individuals more rights over their personal data and strengthened control over how businesses are allowed to obtain and use personal data.
The GDPR applies to any business or organisation that collects and processes data. Failure to comply will result in high penalties.
Currently, the maximum fine the Information Commissioner’s Office (ICO) can impose is £500,000. However, under GDPR, the fines issued will be a lot higher.
Administrative GDPR fines
The fines that businesses could receive vary depending on the severity of the data breach. There are two tiers of administrative fines that can be issued:
1) Up to €10 million, or 2% annual global turnover – whichever is higher.
2) Up to €20 million, or 4% annual global turnover – whichever is higher.
If a data breach has been made, the ICO can decide the level of fine that should be issued to the business. In doing so, they must consider:
- The nature, gravity and duration of the infringement;
- The intentional or negligent character of the infringement;
- Any action taken by the organisation to mitigate the damage suffered by individuals;
- Technical and organisational measures that have been implemented by the organisation;
- Any previous infringements by the organisation or data processor;
- The degree of cooperation with the regulator to remedy the infringement;
- The types of personal data involved;
- The way the regulator found out about the infringement;
- The manner in which the infringement became known to the supervisory authority, in particular, whether and to what extent the organisation notified the infringement;
- Whether, and, if so, to what extent, the controller or processor notified the infringement; and
- Adherence to approved codes of conduct or certification schemes
For penalties of up to €10 million or 2% of annual turnover, infringements listed in Article 83(4) of the GDPR will be considered.
This includes infringements relating to:
- Integrating data protection ‘by design and by default’
- Records of processing activities
- Cooperation with the supervising authority
- Security of processing data
- Notification of a personal data breach to the supervisory authority
- Communication of a personal data breach to the data subject
- Data Protection Impact Assessment
- Prior consultation
- Designation, position or tasks of the Data Protection Officer
For penalties of up to €20 million or 4% of annual turnover, infringements listed in Article 83(5) of the GDPR will be considered.
This includes infringements relating to:
- The basic principle for processing, including conditions for consent, the lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organisation
It is important to point out that these figures are the maximum penalties that businesses could receive for failing to comply with GDPR.
Violations of the business’ obligations, for example, data security breaches, will be subject to lower levels of fines, whereas violations of an individual’s privacy rights will be subject to the higher level.
If multiple violations occur, the overall fine will not exceed the cost of the fine for the most severe violation.
The ICO can issue smaller fines if the breach is considered as less of a risk, and they can also impose a range of corrective powers and sanctions to enforce the GDPR. These include:
- Issue warnings
- Issue reprimands
- Issue an order of rectification, restriction or erasure of data
- Issuing a temporary or permanent ban on data processing
- Suspend data transfers to other countries
- Order compliance with Data Subject requests
- Communicate the Personal Data breach directly to the Data Subject
All fines are discretionary, rather than mandatory, and must be issued on a case-by-case basis. GDPR also states that penalties must be ‘effective, proportionate and dissuasive’.
Early cases of non-compliance may be subject to higher penalties to set an example to other businesses on the importance of taking GDPR seriously and ensuring compliance is followed.
Many small businesses assume that GDPR only applies to large companies, but it applies to any business that collects and handles customer and client data.
Liability for damages
Under GDPR, individuals will have the right to claim compensation from the business for any material and/or non-material damages resulting from a data breach. Therefore, companies should not only consider the potential fines issued by the ICO, but also the compensation costs when risking poor compliance.
Avoiding a fine
To prevent a GDPR fine or a compensation claim, businesses should implement adequate safety measures and follow GDPR compliance strictly.
If a breach takes place, businesses could reduce the level of penalty they receive by ensuring they have the correct procedures in place for identifying and reporting breaches.
Businesses that can prove they have taken as many steps as possible to prevent a breach will be more favourable by the ICO compared to a business that has shown no effort in complying with the GDPR.
All businesses that collect and store individuals’ data should take it upon themselves to understand the GDPR thoroughly to avoid significant fines.