GDPR and Fines

gdpr fines

GDPR and Fines

What are the chances of you getting fined?

As a small business owner, if you’re not processing significant personal data, and have secure measure in place to look after the personal data you store and be able to tell people what you’re doing with their data, there’s a very slim chance you’re going to get fined.

If you can prove that you have been working towards compliance, then chances are that the ICO will work with you to become compliant.

However, if you ignore GDPR, and do nothing to comply, then that’s a different story.
If there is a complaint against you and the ICO come and investigate, you may face sanctioning and hefty fines.

What are the levels of fines?

There will be two levels of fines based on the GDPR.

The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.

The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.

The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.
Fines for infringements will be considered on a case-by-case basis and will take a number of criteria into consideration, such as the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller or processor.

The lower level of fine, up to €10 million or 2% of the company’s global annual turnover will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.
This includes infringements relating to:

  • Integrating data protection ‘by design and by default’
  • Records of processing activities
  • Cooperation with the supervising authority
  • Security of processing data
  • Notification of a personal data breach to the supervisory authority
  • Communication of a personal data breach to the data subject
  • Data Protection Impact Assessment
  • Prior consultation
  • Designation, position or tasks of the Data Protection Officer
  • Certification

The higher level of fine, up to €20 million or 4% of the company’s global annual turnover will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.

This includes infringements relating to:

  • The basic principle for processing, including conditions for consent, the lawfulness of processing and processing of special categories of personal data
  • Rights of the data subject
  • Transfer of personal data to a recipient in a third country or an international organisation

When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:

  • The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
  • The intentional or negligent character of the infringement
  • Any action taken by the controller or processor to mitigate the damage suffered by data subjects
  • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
  • Any relevant previous infringements by the controller or processor
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
  • Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures
  • Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42
  • Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

If a controller or processor makes several infringements, the total amount of the administrative fine will not exceed the fine for the most serious infringement for the same or linked processing operations.

Member States will also have the ability to apply penalties for infringements to the GDPR.  The Member State will be responsible for implementing such penalties, which must be effective, proportionate and dissuasive.

Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.

No doubt in the first few months, six months, first year of the legislation, the regulators will be looking to make examples of people, and to impress upon people the significance of this legislation and the fact that businesses do have to take it seriously, and it’s not just a box in a ticking exercise.

There’s a high chance that you could be fined if

  • you’re spamming people
  • you’re selling lists when you shouldn’t be
  • you’re not keeping data secure
  • you’re reckless or irresponsible with people’s personal data

However if you’re following the right principles, being sensible about personal data, the tiniest breach is unlikely to get you in trouble.

Keep your eye on the GDPR principles, on the lawful grounds of processing data, and be upfront with people about what you’re doing with their personal data.

Contact us today to arrange a free GDPR consultation.
Email: enquire@old.p4p.uk.com
Tel: +44 (0) 117 9374712

Tags:

Request a Demo