GDPR breaches and penalties: could they cost you your business?

Much information is currently circulating about the EU General Data Protection Regulation – GDPR – which comes into force on 25 May 2018. In this article, we look at the headline grabbing issue of GDPR penalties, or the large fines, that can be imposed by the Information Commissioner’s Office (ICO) upon organisations found to be in breach of GDPR. Here, we take a look at the basis upon which infringements will be assessed, the penalties, and the principles upon which GDPR penalties will be imposed.


GDPR data regulation and what it means for companies

GDPR supersedes the 1995 Data Protection Directive. This is viewed as a largely inadequate directive created to regulate the processing of EU citizens’ (data subjects) data, to protect citizens’ fundamental human right to privacy. As the number of companies which hold personal data, and the complexity and volume of data being held (think social media and cloud processing for starters), increases exponentially, the overriding aim of the new legislation is to “protect all EU citizens from privacy and data breaches”.

GDPR penalties

Who does GDPR relate to? Who is affected by GDPR?

GDPR applies to all companies “processing the personal data of data subjects residing in the Union, regardless of the company’s location.”

Is the GDPR mandatory?

Unlike its earlier incarnation, GDPR is a regulation not a directive. It is a binding legislative act which must be applied in its entirety across the EU. Despite Brexit, this will continue to affect the UK, even after it leaves the EU. Legislation is currently going through parliament to enshrine the provisions in UK law.

GDPR key changes

The key changes that the new EU data protection regulation has in comparison to the original directive concern:

  • Increased Territorial Scope
  • Penalties
  • Consent
  • Data Subject Rights

 

You can view full details of the key changes here.

GDPR penalties

The headline information is as follows:

“…organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.” EU GDPR Portal

Picking GDPR penalties apart

Does any GDPR breach result in a penalty fine?

First and foremost, administrative fines will be related to the most serious offences or breaches of the regulations. In the first instance, the Information Commissioner’s Office (ICO) has the ability to:

  • issue warnings to a data controller or processor, where intended processing operations are likely to infringe provisions of this regulation;
  • issue reprimands to a data controller or a processor where the processing operations have infringed provisions of this data protection regulation;
  • order the data controller or processor to bring processing operations into compliance with the provisions of this regulation, where appropriate, in a specified manner and within a specified period;
  • order the suspension of data flows to a recipient in a third country or to an international organisation;
  • order the rectification or erasure of personal data or restriction of processing, [whether this is a definitive limitation or ban on processing]

 

Important note: where GDPR refers to data controllers and processors, this is specifically intended to cover both the entity that is determining the purposes, conditions and means for processing personal data, and also any entity which processes personal data on behalf of the controller, including any software used. Previously, only data controllers could be subject to action. However, under GDPR, both controllers and processors can be subject to action. In summary, your organisation must take full responsibility for all organisational data processing activities, regardless of how those activities are carried out.

GDPR penalties

Separate to, and/or in addition to the above. However, the supervising authority also has the power to impose administrative fines.

Fines, as outlined in Article 83, should be considered on an individual basis. However, they need to be effective, proportionate and dissuasive. The fines will be subject to a two tiered approach: 1)

  1. Up to €10 million, or 2% annual global turnover – whichever is higher.
  2. Up to €20 million, or 4% annual global turnover – whichever is higher.

Generally speaking, the data protection breaches of controller or processor obligations will be fined within the first tier. Violations of data subjects’ rights and freedoms will be subject to second-tier fines.

As mentioned above, the fines will be applied on an individual basis. The general principles for consideration will be:

  • the nature, gravity and duration of the infringement. The nature scope or purpose of the processing concerned, as well as the number of data subjects affected and the severity of damage suffered by them, will be taken into account;
  • the intentional or negligent character of the infringement;
  • any action taken by the controller or processor to mitigate the damage suffered by data subjects;
  • the degree of responsibility of the data controller or processor. Also taking into account technical and organisational measures implemented by them

In conclusion

Were the worst to happen, the way your organisation has approached its responsibilities towards GDPR is likely to play a large part in what, if any action is taken – both before the breach and afterwards.

Privacy by Design is a core concept and legal requirement under GDPR. This data protection regulation requires organisations to protect data subjects’ data from the earliest point, in which systems for processing information are designed and implemented. Obtaining clear consent, only holding and obtaining data which is absolutely necessary. Similarly, respecting subjects’ rights to privacy. This includes the right to access and the right to be forgotten, both key principles which should determine organisational processes and policy.

Where breaches do occur, good organisational behaviours are mitigating factors to help organisations avoid the largest GDPR penalties. For instance: notifying data subjects of the breach, reporting the incident to the regulator and carrying out detailed investigations into how and why the breach occurred. Similarly, conducting impact assessments and undertaking remedial action may help avoid the fines.

If your business has been or is likely to be subject to a fine, or you have concerns about the financial health of your business, contact one of our business rescue experts. We will be happy to offer a free, informal, initial consultation.

More News