Penalties for non-compliance

Under the GDPR, supervisory authorities (SAs) (in the UK this will be the ICO) have a range of powers to deal with non-compliance with the GDPR by both data controllers and data processors. These powers include issuing warnings, carrying out audits, requiring specific remediation within a given timeframe, ordering the erasure of data and suspending data processing and/or data transfers. In addition to these powers, SAs can also issue substantial fines. The level of fine will depend on the nature of the infringement. The fines are currently expressed in Euros, and the current draft UK legislation provides for a spot rate of exchange from Euros to pounds sterling.

 

2% of total global annual turnover / €10 million

Breaches which can attract a fine of up to 2% of total global annual turnover or €10m (whichever is the higher), include failure to:

  • obtain parental consent in the case of processing personal data of a child
  • implement appropriate technical and organisational measures to ensure data protection
  • process data in accordance with the instructions of the data controller
  • maintain sufficient records of processing activities
  • notify data protection breaches within the required timescale
  • carry out a Data Protection Impact Assessment where required
  • appoint a DPO or to ensure that the DPO is involved with all issues which relate to the protection of personal data

 

4% of total global annual turnover / €20 million

Breaches which can attract a fine of up to 4% of total global annual turnover or €20m (whichever is the higher), include failure to:

  • process personal data in a lawful and transparent manner
  • demonstrate that consent was given by the data subject to the processing of their personal data where required
  • correctly respond to subject access requests
  • comply with a data subject’s “right to be forgotten”
  • comply with the regulations regarding the transfer of personal data outside of the EEA
  • comply with another sanction (such as specific performance) put in place by the SA

 

Circumstances giving rise to fines

When deciding whether or not to administer a fine, the SA will consider all of the relevant circumstances and other aggravating or mitigating factors, including the following:

  • the nature, gravity, and duration of the infringement
  • the number of data subjects affected and level of damage suffered
  • any action taken to mitigate the damage suffered
  • the negligent or intentional character of the infringement
  • any previous infringements by the data controller or data processor
  • adherence to approved codes of conduct or approved certification mechanisms