The General Data Protection Regulation (GDPR) features updated penalties for non compliance with data privacy law, including the possibility of higher fines for the most serious breaches. But while it’s true that the data regulator now has sharper teeth, it also seems that the whole issue of GDPR penalties has prompted more than a little scaremongering.
So, if you find yourself in breach of the GDPR, what type of penalty can you expect? Most importantly of all, what should you do to avoid falling foul of the regulator in the first place? This guide is designed to provide you with a reassuring dose of clarity.
What are the penalties for a GDPR breach?
Under the old Data Protection Act (DPA), the maximum fine that could be handed out by the Information Commissioner’s Office (ICO) for non-compliance was £500,000.
The GDPR introduces two tiers of fines that can be levied, depending on the specific part of the regulation that has been breached:
- Up to €20 million, or 4% of the organisation’s annual global turnover – whichever is higher.
- Up to €10 million, or 2% of annual global turnover – whichever is higher.
Broadly, if a breach of the regulation involves an infringement of an individual’s privacy rights, then the top tier applies. This includes situations where a person’s data has been processed without any lawful basis (where they haven’t given proper consent, for instance).
The lower tier applies largely to breaches of a more procedural or technical nature. Examples include failures to report, or late reporting of security breaches, a lack of record keeping or failure to cooperate with the ICO.
Non-financial penalties and regulatory intervention
The ICO’s main job is to encourage and ensure that organisations meet their data protection obligations and very often penalties other than fines are better suited for achieving this. Other than fines, the powers available to the regulator come in three main flavours:
- Intervention. This includes ‘stop now’ orders, requiring you to cease a certain course of activity until you’ve fixed a breach. Alongside this, the ICO can issue undertakings; i.e. a formal order compelling you to do something to address non compliance (e.g. specific improvements to your IT security framework).
- Audit. Sometimes it’s consensual, in other situations you have no choice on the matter. Either way, the ICO can come in and carry out a thorough assessment of your organisation’s set-up and procedures to check that you’re following good practice.
- Prosecution. Some breaches of data privacy law constitute a criminal offence. Neglecting to register as a data controller is a good example. It can lead to a criminal conviction for a company (or its directors) as well as a fine.
These measures can be taken in conjunction with each other (e.g. a ‘stop now’ order hot on the heels of an audit). They can also be taken instead of, or alongside a fine.
Will I be fined for non-compliance? Some myths busted.
The threat of €20 million fines makes for good headlines, but it also helps to fuel the myth that dodging a financial penalty is the number one reason for taking data protection compliance seriously. Time to address a couple of the myths surrounding the repercussions of GDPR non-compliance…
Myth 1: If you breach the GDPR, you face an automatic fine.
In 2016/17, the ICO looked at 17,300 cases. Of those, just 16 resulted in fines. Financial penalties are far from the ‘go-to’ tools of the regulator and the Information Commissioner has made it clear that she’s not going to change her policy on this.
If a fine is to be imposed, the GDPR states that it must be “effective, proportionate and dissuasive”. So, if for instance a GDPR breach is a one-off transgression by a company ready and willing to learn from its mistakes, a fine is probably unlikely. The same can’t be said for a company that knowingly and repeatedly breaks the rules and puts individuals’ personal data at risk.
Myth 2: fines are the only penalties you should be concerned about.
Whether it’s the taxman, your professional ombudsman or the ICO, no-one relishes the thought of an audit. Chances are that if you’re facing regulatory intervention, it’s not necessarily going to be in the shape of a fine. But a ‘stop now’ order could easily cripple the operations of a business – and an audit means devoting time and resources that could be better used elsewhere.
There is also a strong risk that any penalty or investigation is likely to become public knowledge. The publicity from any breach is likely to be exceedingly damaging to any business and ruthlessly exploited by the competitors of that business. The moral of this story? Regulatory intervention in all its forms is something to be avoided if possible!
Avoiding a sanction: the essentials…
To stay on the right side of the regulator, try these for starters…
- Get familiar with the new law. From consent through to the organisational changes you may need to make right now, browse our resource centre for the full lowdown on all key aspects of the GDPR.
- Get the tools you need to demonstrate compliance. To avoid intervention of the regulator, you need to be able to demonstrate compliance. Whether you’re launching a new app or onboarding new staff, this demands careful attention both to the relevant aspects of the law and to your own records and procedures. Fortunately, The Privacy Compliance Hub provides precisely what you need to stay on top of this, enabling you to prove compliance to the ICO and other European regulators.
Want to know more about making compliance easier? Explore the rest of our resources here. If you’d like to know more about how The Privacy Compliance Hub could work in your organisation get in touch!