If you find yourself in breach of the GDPR, what type of penalty can you expect? Most importantly of all, what should you do to avoid falling foul of the regulator in the first place? This guide is designed to provide you with a reassuring dose of clarity.
What is the maximum GDPR fine?
Under the old Data Protection Act 1998 (DPA), the maximum fine that could be handed out by the Information Commissioner’s Office (ICO) for non-compliance was £500,000.
The GDPR introduced two tiers of fines that can be levied, depending on the specific part of the regulation that has been breached:
- Up to €20 million, or 4% of the organisation’s total worldwide annual turnover – whichever is higher.
- Up to €10 million, or 2% of total worldwide annual turnover – whichever is higher.
Broadly, there are more ways to be subject to the higher tier than the lower tier. Breach of basic principles of the GDPR such as fairness, lawfulness, transparency and the rules relating to transfers of personal data will all leave organisations open to the higher tier of fines.
The lower tier of fines applies to specific, limited circumstances including, rather oddly, around the consent of children and data protection by design and by default.
Non-financial penalties and regulatory intervention
The ICO argues that its main job is to encourage and ensure that organisations meet their data protection obligations and very often penalties other than fines are better suited for achieving this. Other than fines, the powers available to the regulator come in three main flavours:
- Intervention. This includes ‘stop now’ orders, requiring you to cease a certain course of activity until you’ve fixed a breach. Alongside this, the ICO can issue undertakings; i.e. a formal order compelling you to do something to address non compliance (e.g. specific improvements to your IT security framework).
- Audit. Sometimes it’s consensual, in other situations you have no choice on the matter. Either way, the ICO can come in and carry out a thorough assessment of your organisation’s set-up and procedures to check that you’re following good practice.
- Prosecution. Some breaches of data privacy law constitute a criminal offence. Neglecting to register as a data controller is a good example. It can lead to a criminal conviction for a company (or its directors) as well as a fine.
These measures can be taken in conjunction with each other (e.g. a ‘stop now’ order hot on the heels of an audit). They can also be taken instead of, or alongside a fine.