The headline news is that the Information Commissioner’s Office (ICO) are increasing fines for non-compliance up to a maximum of 20 million euros or 4% of your annual group turnover. On current exchange rates, that’s in the region of £17 million.
Whilst the GDPR is indeed increasing the maximum penalty for data protection breaches, these figures will only be invoked in the most serious of cases and in the largest organisations. Serious cases include breaching data protection principles, not obtaining the necessary consents, ignoring data subjects’ rights and making unlawful international data transfers.
There is a second tier of sanctions capped at 10 million euros or 2% of annual group turnover for misdemeanors in record-keeping, ineffective or absent data protection officers (DPO’s) and insufficient safeguarding in data processor contracts.
The ICO have said that fines under the GDPR will be proportionate and not issued in the case of every infringement. They’ve also said that the sanctions are available where organisations systemically fail to comply with the law or completely disregard it, particularly where the public are exposed to significant data privacy risks.
What is clear is that the ICO aren’t looking for perfection. They’re looking for transparency and accountability – a paper trail to show that you’ve considered the GDPR, and that you’re doing everything within your power and resources to comply with it.
The ICO guidance states that fines can be avoided if organisations are open, honest and report breaches without undue delay. Reading between the lines, if you have carried out a data mapping exercise, appointed someone to take responsibility for data protection within the organisation, have a training programme rolled out, and have a GDPR compliant Privacy Notice in place, then these measures along with others referred to in this Checklist, will work in your favour.
Look within your organisation and raise this matter with your executive committee as the time for taking action is now.
If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.
- Have you reviewed your insurance policies to check that you have the appropriate level of cover in light of the penalty increases?
- Do you have Data Breach Response Procedures with GDPR compliant time limits?
- Have you in place template letters and a breach register to record every case of breach, the consequences and action taken?
- Have you conducted a Privacy Impact Assessment?
- Have you trained all staff in data protection and breach procedures?