GDPR – Understanding Penalties, Fines and Liabilities

In his second post, Craig Clark, Information Security and Compliance Manager at the University of East London, looks at the interpretation of Article 83 of the General Data Protection Regulation.

GDPR – Understanding Penalties, Fines and Liabilities

Introduction

The introduction of the General Data Protection Regulations (GDPR) has been dominated in the main by one topic – what fines organisations could face if they are found to have breached the GDPR by a supervising authority which in most cases for the UK will be the Information Commissioners Office (ICO).
Many media outlets have been quick to leap on the fact that the maximum fine for non-compliance is €20,000,000 or 4% of global annual turnover, whichever is higher. However in the haste to report this, many commentators have forgotten to clarify that this is the maximum fine. Below, I have attempted to breakdown the conditions for imposing administrative fines and show there is a bit more to it.

Understanding the Fining Structure

The GDPR has been designed to ensure that organisations take the appropriate measures to protect personal data against the risks of loss in the 21st Century. For organisations that fail to meet the requirements, the GDPR allows the supervising authority to take a range of actions including:

  • Issue warnings;
  • Issue reprimands;
  • Order compliance with Data Subjects requests;
  • Communicate the Personal Data breach directly to the Data Subject.
  • In addition to the above the supervising authority have the power to impose administrative fines that will in each case be effective, proportionate, and dissuasive.

    There are two tiers of administrative fine that can be imposed. The maximum fine for the first tier is €10,000,000 or in the case of an undertaking up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater. The second tier maximum is €20,000,000 or in the case of an undertaking up to 4% of total annual global turnover (not profit) for the preceding financial year whichever is greater. The fines within each tier relate to specific articles within the Regulation that the controller or processor has breached. As a general rule, breaches of an obligations by controllers or processors will result in a fine within tier one, while breaches of a data subjects rights and freedoms will result in a fine within tier two.

    Question: Does your organisation understand what articles of the GDPR relate to a tier 1 or tier 2 fine?

    How will Fines be Determined?

    The GDPR is clear that in order to ensure any fine is proportionate, a range of factors will be assessed by supervisory authorities when investigating organisations that breach the GDPR.

    Of key importance will be the nature, gravity, duration and the character of an infringement. It is also worth noting that actions taken by the controller or processor to mitigate any damage suffered by data subjects, along with the degree of responsibility for the technical and organisational measures implemented by Controllers and Processors to prevent the breach occurring will be considered during an investigation.

    The Regulation also allows supervising authority to take on a holistic approach to an investigation and consider factors such as infringement history including previous correction notices, level of co-operation, the categories of personal data affected, the manner in which the breach became known and was reported, the level of adherence to approved codes of conduct or certification mechanisms and any other aggravating or mitigating factors.

    Minimising Fines

    It is logical to suggest that an organisation which demonstrates they have a positive approach to ensuring security, with a range of technical, management and operational controls will receive a lower fine then an organisation that takes no measures, or blatantly disregards its obligations under GDPR. It is also worth noting that the Information Commissioner has made it clear that in terms of incident reporting, organisations that proactively report breaches will be given more credit than organisations who do not report a breach that is then discovered by a 3rd party.

    Question: Does your organisation currently document breaches? If they do, how are these reported?

    In summary, organisations can significantly reduce the likelihood of receiving a maximum fine by establishing a culture that promotes information security best practices and an ethos centred on protecting personal information. As we have seen with the results of the TalkTalk breach, the ICO is now entering a new phase of exploring the upper limits of the monetary fines available to them. It is highly likely that this current trend will continue into 2018 meaning that GDPR compliance should be high on the list of 2017 objectives for organisations that fall within its scope.

    2 thoughts on “GDPR – Understanding Penalties, Fines and Liabilities

    1. Susan Graham

      Thank you for this helpful summary of the fines structure. I would like to add that these arrangements do not apply to ‘public authorities’ – it is for individual member states to set the level of fines for them.

      Reply
    2. Tim Rodgers

      There is a question I guess as to whether this maximum will be accepted by the government, either now whilst GDPR is adopted, or later when a new DPA is required if we leave the EU.

      Previously, the ICO produced details of their fine scales – certain incidents for example would range from £40,000 to £70,000. I wonder if this is in development at the ICO, or whether the first penalties issues in late 2018 will be ‘finger in the wind’ figures.

      Reply

    Leave a Reply

    Your email address will not be published. Required fields are marked *