Welcome to the fourth instalment in our mini-series of blog posts on the General Data Protection Regulation. The blogs provide background to the GPDR and include tips to help you make sure your business has robust data protection processes and procedures in place, which in turn will help ensure compliance with the Data Protection Act 1998 and the GDPR. In our last GDPR blog we summarised the requirements around consent under GDPR.
This blog discusses the powers of the Information Commissioner’s Office (“ICO”) to levy fines and take action against an organisation that breaches the GDPR.
Data Controller or Data Processor?
Under the Data Protection Act 1998 (“DPA”), the ICO can only take action against a data controller. Under GDPR, action can be taken against both a data controller and a data processor. The ICO may choose to take action against both data controller and data processor if it believes both have played a role in breaching the legislation.
Are the fines significant?
Under the DPA, the maximum fine the ICO is entitled to levy against a data controller that has breached the legislation is £500,000.
Under the GDPR, the ICO can impose up fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors. The following is a non-exhaustive list of GDPR provisions which, if infringed, may attract a top level fine:
- the basic processing conditions including in respect of obtaining consent (see our last GDPR blog);
- infringement of the rights of data subjects;
- international transfers of personal data; and
- failure to implement or adhere to a subject access request process.
For less egregious breaches, the maximum fine is 10 million Euros or 2% of group worldwide turnover. Those breaches include:
- failure to implement measures to ensure privacy by design (i.e. ensuring data protection is considered in the early stages of a project and throughout its lifecycle);
- failure by a controller in relation to the engagement of processors;
- failure of a processor to process data only in accordance with the controller’s instructions;
- failure to report breaches; and
- failure to appoint a data protection officer, if such appointment is required pursuant to the GDPR.
What else will the ICO consider?
The ICO will take into account the circumstances surrounding the breach when assessing the level of fine including, for example, the type and volume of personal data affected by the breach, the level of loss or damage suffered by the affected data subjects, whether the breach was negligent or wilful and any previous infringements of GDPR by the breaching party.
In addition to the imposition of fines, the ICO may choose to conduct audits, review certifications, issue warnings and reprimands to controllers and processors that have breached GDPR and impose limitations and restrictions around the breaching party’s ability to process data. Reputational damage could also be significant.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.