GDPR Blog Week 1: Fines
You will no doubt be aware of the change in data protection laws which will become enforceable from. The headline news is that the Information Commissioner’s Office (ICO) are increasing fines for non-compliance up to a maximum of 20 million euros or 4% of your annual group turnover. On current exchange rates, that’s in the region of £17 million.
Whilst the GDPR is indeed increasing the maximum penalty for data protection breaches, these figures will only be invoked in the most serious of cases and in the largest organisations. Serious cases include breaching data protection principles (of which there are 7), not obtaining the necessary consents, ignoring data subjects’ rights and making unlawful international data transfers.
There is a second tier of sanctions capped at 10 million euros or 2% of annual group turnover for misdemeanours in record-keeping, ineffective or absent data protection officers (DPO’s) and insufficient safeguarding in data processor contracts.
The ICO have said that fines under the GDPR will be proportionate and not issued in the case of every infringement. They’ve also said that the sanctions are available where organisations systemically fail to comply with the law or completely disregard it, particularly where the public are exposed to significant data privacy risks.
What is clear is that the ICO aren’t looking for perfection. They’re looking for transparency and accountability – a paper trail to show that you’ve considered the GDPR, and that you’re doing everything within your power and resources to comply with it. The ICO guidance states that fines can be avoided if organisations are open, honest and report breaches without undue delay. Reading between the lines, if you have appointed a DPO, have a training programme rolled out or have a Privacy Impact Assessment (PIA) in place, then these measures will work in your favour.
Look within your organisation and raise this matter with your executive committee as the time for taking action is now. Please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.
We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Consent and the onerous burden of acquiring this under the new Regulations. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.