A law firm which offers more

Call us: 0113 246 0622

GDPR - Fines and Penalties


Welcome to the fourth instalment in our mini-series of blog posts on the General Data Protection Regulation. The blogs provide background to the GPDR and include tips to help you make sure your business has robust data protection processes and procedures in place, which in turn will help ensure compliance with the Data Protection Act 1998 and the GDPR. In our last GDPR blog we summarised the requirements around consent under GDPR.

This blog discusses the powers of the Information Commissioner’s Office (“ICO”) to levy fines and take action against an organisation that breaches the GDPR.

Data Controller or Data Processor?

Under the Data Protection Act 1998 (“DPA”), the ICO can only take action against a data controller. Under GDPR, action can be taken against both a data controller and a data processor. The ICO may choose to take action against both data controller and data processor if it believes both have played a role in breaching the legislation.

Are the fines significant?

Yes! (click here for our fines overview)

Under the DPA, the maximum fine the ICO is entitled to levy against a data controller that has breached the legislation is £500,000.

Under the GDPR, the ICO can impose up fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors. The following is a non-exhaustive list of GDPR provisions which, if infringed, may attract a top level fine:

For less egregious breaches, the maximum fine is 10 million Euros or 2% of group worldwide turnover. Those breaches include:

What else will the ICO consider?

The ICO will take into account the circumstances surrounding the breach when assessing the level of fine including, for example, the type and volume of personal data affected by the breach, the level of loss or damage suffered by the affected data subjects, whether the breach was negligent or wilful and any previous infringements of GDPR by the breaching party.

In addition to the imposition of fines, the ICO may choose to conduct audits, review certifications, issue warnings and reprimands to controllers and processors that have breached GDPR and impose limitations and restrictions around the breaching party’s ability to process data. Reputational damage could also be significant.

To find out more about how we can help you to prepare for the GDPR please visit our GDPR section or contact Matthew Hattersley or Florence Maxwell.

Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.