GDPR - The good, the bad and the fines

As the final few months of 2017 tick by and the days get shorter, colder and increasingly full of Christmas adverts – they’ll start soon, mark our words – the data-handling world is also getting ever closer to the advent of everybody’s new favourite four-letter acronym (according to a recent survey of Abbreviation Monthly readers), the GDPR.

Yes, the General Data Protection Regulation legislation – try saying that after a few pints – will come into effect throughout the EU and in the UK from 25 May 2018. In previous blogs we have outlined the basics of what the GDPR will mean for you and your company, as well as a few steps you might take to get prepared.

This week, we’re focusing on the new rules’ dark side: the fines and sanctions that might be faced by non-compliers. Here are the nasty pitfalls you will want to avoid if keeping your customers’ digital information safe was not motivation enough.

Fine print

Remember how in a previous blog we differentiated data controllers - who determine how and why personal data is used – from data processors - who actually utilise the data stored? Well, at time of writing, the UK’s Data Protection Act of 1998 (the DPA) says that the Information Commissioner’s Office (ICO), the UK data regulator, can take action only against controllers, issuing fines of up to £500,000 for those who break the existing legislation.

The ICO also has the power to prosecute those who commit serious offences, including possible prison sentences for those who deliberately breach the DPA, and issue enforcement notices to those who can still change their ways to comply with the law. The office can also audit government departments without their consent.

The GDPR will empower authorities in all the EU’s constituent nations to issue far more dramatic penalties to offending companies.

For one, the ICO’s jurisdiction will extend to both controllers and processors. It will be leant powers to impose fines of up to €20 million or 4 per cent of a firm’s worldwide turnover (whichever is larger, unfortunately). That’s a significant whack for offending companies to part with; to put it in context, in the ICO has issued 44 fines totalling £3,107,500 so far in 2017.

These top fines will be reserved for the most serious infringements of the GDPR’s tenets. These include failing to meet basic data processing conditions, including obtaining consent, infringing data rights of customers, transferring data internationally and failing to allow customers access to their own data.

For less serious breaches, the maximum fine allowed is €10 million or 2 per cent of worldwide turnover. These include failures to implement automatic privacy mechanisms, neglecting to report data breaches and not appointing a dedicated data protection officer to oversee data matters.

Criminal factors

A number of extra criteria will also be considered by ICO and other national regulators to determine any other fine. These include the nature, gravity, duration and character of the infringement, and may also take into account the types of personal data affected, any previous infringements and how cooperative the firm has been.

There is also provision for data subjects to claim compensation for damages they may suffer from such incidents. Controllers and processors can be sued for compensation as well as fined by administrators – being fined will not save you from court costs, in other words.

The official GDPR guidelines also note that the “behaviour of the organisation” will be taken into account, giving any that are caught out the change to influence the reduction of any fines by fully complying with the regulation. This includes promoting a culture of data protection and being able to show the steps taken to comply.

With this in mind, many experts have recommended building up a system of compliance far in advance of GDPR’s implementation. Steps to achieve this start with fully understanding the regulation and how it affects your business, what gaps there are between your current best practices and compliance, and reviewing any existing information security management systems.

After all, data breaches can often be beyond the control of those companies dealing with user data. In order to avoid some of the heftier – and business-destroying – fines, organisations should ensure they are doing all they can to avoid any nasty data surprises.

https://www.clarionsolicitors.com/articles/gdpr-fines-and-penalties

https://www.itgovernance.co.uk/dpa-and-gdpr-penalties

https://www.pinsentmasons.com/out-law/analysis/gdpr-potential-fines-for-data-security-breaches-more-severe-for-data-controllers-than-processors-says-expert

https://web.archive.org/web/20220810204554/https://www.gdpr.associates/what-is-gdpr/understanding-gdpr-fines/