GDPR Countdown Week 1 – Financial Penalties
Get it right or it can be a costly event- Fines for getting GDPR wrong have significantly increased.
From 25 May 2018, under the General Data Protection Regulation, the Regulator can penalise organisations for breaching the GDPR.
So how can you avoid being subject to a fine?
- By ensuring that you have adequate procedures in place for identifying and reporting breaches, as well as all aspects of data protection.
- By having a ‘doing all you can’ attitude to complying; this in turn will be viewed much more favourably than a blatant disregard towards the GDPR obligations.
- Of course, the main aim is to be fully compliant and not make any infringements; to assist you with full compliance, you will need to make sure the groundwork is in place by ensuring that you have the best systems in place to avoid any infringements.
As the potential fines are substantial, it is good practice to ensure you are compliant with the Regulation and don’t get caught out.
If however, you are found to be in breach of the GDPR, then the Regulator can apply one of two levels of fines against you, namely;
- The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher; or
- The second of up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. It is important to note that these figures are the maximum figures. Infringements that could warrant a higher level fine, include, but are not limited to;
- Breaching the basic principle for processing, including conditions for consent, the lawfulness of processing and processing of special categories of personal data;
- For not dealing with the rights of the data subject correctly; and
- Transferring personal data to a recipient in a third country or an international organisation
It is worthy of note that fines for infringements will be considered on a case-by-case basis. Before deciding to impose a fine on you for a potential breach, certain elements will be taken into consideration, for example;
- The nature, gravity and duration of the infringement; taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
- The intentional or negligent character of the infringement;
- Any action taken by the controller or processor to mitigate the damage suffered by data subjects;
- The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them;
- If there has been any relevant previous infringements by the controller or processor;
- The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; and
- The categories of personal data affected by the infringement
The value of the fine to be imposed is however not clear-cut. Your behaviour will be taken into account when determining the value of the fine. You may have the opportunity to influence the reduction of any fines by, for example, by promoting a culture of data protection and being able to show the steps you have taken to comply.
One final point to consider separate to these fines and penalties, you should be aware that individuals will have the right to claim compensation for any damage they believe has been suffered as a result of breaching the GDPR.
Should you require any guidance on this issue please do not hesitate to contact Sarah Hobson or your usual Weightmans contact.