If you find yourself in breach of the GDPR, what type of penalty can you expect? Most importantly of all, what should you do to avoid falling foul of the regulator in the first place? This guide is designed to provide you with a reassuring dose of clarity.
What is the maximum GDPR fine?
Under the old Data Protection Act 1998 (DPA), the maximum fine that could be handed out by the Information Commissioner’s Office (ICO) for non-compliance was £500,000.
The GDPR introduced two tiers of fines that can be levied, depending on the specific part of the regulation that has been breached:
- Up to €20 million, or 4% of the organisation’s total worldwide annual turnover – whichever is higher.
- Up to €10 million, or 2% of total worldwide annual turnover – whichever is higher.
Broadly, there are more ways to be subject to the higher tier than the lower tier. Breach of basic principles of the GDPR such as fairness, lawfulness, transparency and the rules relating to transfers of personal data will all leave organisations open to the higher tier of fines.
The lower tier of fines applies to specific, limited circumstances including, rather oddly, around the consent of children and data protection by design and by default.
Non-financial penalties and regulatory intervention
The ICO argues that its main job is to encourage and ensure that organisations meet their data protection obligations and very often penalties other than fines are better suited for achieving this. Other than fines, the powers available to the regulator come in three main flavours:
- Intervention. This includes ‘stop now’ orders, requiring you to cease a certain course of activity until you’ve fixed a breach. Alongside this, the ICO can issue undertakings; i.e. a formal order compelling you to do something to address non compliance (e.g. specific improvements to your IT security framework).
- Audit. Sometimes it’s consensual, in other situations you have no choice on the matter. Either way, the ICO can come in and carry out a thorough assessment of your organisation’s set-up and procedures to check that you’re following good practice.
- Prosecution. Some breaches of data privacy law constitute a criminal offence. Neglecting to register as a data controller is a good example. It can lead to a criminal conviction for a company (or its directors) as well as a fine.
These measures can be taken in conjunction with each other (e.g. a ‘stop now’ order hot on the heels of an audit). They can also be taken instead of, or alongside a fine.
Has anyone been fined under the GDPR?
The threat of €20 million fines makes for good headlines, but it also helps to fuel the myth that dodging a financial penalty is the number one reason for taking data protection compliance seriously. Time to address a couple of the myths surrounding the repercussions of GDPR non-compliance…
Myth 1: If you breach the GDPR, you face an automatic fine.
In 2016/17, the ICO looked at 17,300 cases. Of those, just 16 resulted in fines. Financial penalties are far from the ‘go-to’ tools of the regulator and the Information Commissioner has made it clear that she’s not going to change her policy on this.
If a fine is to be imposed, the GDPR states that it must be “effective, proportionate and dissuasive”. So, if for instance a GDPR breach is a one-off transgression by a company ready and willing to learn from its mistakes, a fine is probably unlikely. The same can’t be said for a company that knowingly and repeatedly breaks the rules and puts individuals’ personal data at risk.
Myth 2: fines are the only penalties you should be concerned about.
Whether it’s the taxman, your professional ombudsman or the ICO, no-one relishes the thought of an audit. Chances are that if you’re facing regulatory intervention, it’s not necessarily going to be in the shape of a fine. But a ‘stop now’ order could easily cripple the operations of a business – and an audit means devoting time and resources that could be better used elsewhere.
There is also a strong risk that any penalty or investigation is likely to become public knowledge. The publicity from any breach is likely to be exceedingly damaging to any business and ruthlessly exploited by the competitors of that business. The moral of this story? Regulatory intervention in all its forms is something to be avoided if possible!
Can individuals be fined under the GDPR?
The GDPR does not apply to data processing carried out by individuals purely for personal reasons or household activities. But it does apply if an individual is self employed and processing personal data as part of their business activity. Individuals can also be fined under the GDPR if they’re guilty of infringements under national law, such as:
- Obstructing the Commissioner in investigating alleged non compliance.
- Knowingly providing a false statement when asked for information by the ICO or DPA.
- Destroying or falsifying information and documents.
- Alteration or concealment of personal data summoned by the ICO.
- Obstructing the execution of a warrant in relation to offences under the GDPR or Data Protection Act 2018.
- Unlawfully obtaining personal data without the consent of the data controller.
- Re-identification of de-identified personal data.
Avoiding a sanction: the essentials…
To stay on the right side of the regulator, try these for starters…
- Get familiar with the GDPR. From consent through to the organisational changes you may need to make right now, browse our resource centre for the full lowdown on all key aspects of the GDPR.
- Get the tools you need to demonstrate compliance. To avoid intervention of the regulator, you need to be able to demonstrate compliance. Whether you’re launching a new app or onboarding new staff, this demands careful attention both to the relevant aspects of the law and to your own records and procedures. Fortunately, the Privacy Compliance Hub provides precisely what you need to stay on top of this, enabling you to prove compliance to the ICO and other European regulators.
Want to know more about making compliance easier? Explore the rest of our resources here. If you’d like to know more about how the Privacy Compliance Hub could work in your organisation get in touch!