Just how hefty are the new fines under the General Data Protection Regulation (GDPR)? You may be surprised to find out that there’s more to the fines regime than just the €20,000,0000 figure that’s been garnering all the headlines!
The GDPR will take effect on the 25th of May 2018. As part of the general overhaul to data protection laws in the UK and the European Union, the GDPR introduces new protections for EU data subjects including significant fines and penalties for non-compliant data controllers and processors.
The new GDPR measure most likely to draw attention from a business’s management team is the stark departure from the previous maximum fine of £500,000 which will be replaced with a remarkably steep fine of up to €20,000,0000 or four percent (4%) of annual global turnover, whichever is greater.
The GDPR enables the Information Commissioners Officer, which is the regulatory body responsible for compliance with the Data Protection Act 1998 and the GDPR in the UK, to assess fines that are “effective, proportionate and dissuasive.” It sets forth both mitigating and aggravating factors to help assess the amount of a fine. By way of example, intentional data breaches are worse than negligent ones.
However, an organisation can take steps to mitigate aggravating factors by adhering to an organisation-wide code of conduct, pursuing certification mechanisms such as ISO27001, minimizing the use of sensitive categories of personal data, and employing appropriate technical and organisational safeguards to protect personal data. Furthermore, an organisation may potentially limit the amount of a fine by mitigating “the damaging nature, gravity and duration of the violation,” by reporting the violation as soon as possible and cooperating with the ICO.
In addition to the statutory penalties that may be levied by the ICO, the GDPR also allows data subjects to seek monetary damages in court from organisations that violate their rights. Data subjects may bring an action for damages or compensation before the courts of the Member State where they reside, and they also may bring the action in any Member State where the controller or processor has an establishment. Individual claims for damages are also independent from and without prejudice to an action by a supervisory authority, such as the ICO, to impose administrative fines.
The hefty fines and penalties for infringement not only encourage accountability but are also causing organisations of all sizes to invest in a more stringent and robust compliance regime. Is your business prepared to respond to the new accountability and transparency requirements under the GDPR? The clock is ticking!
Time is running out, the GDPR will come into force on the 25th May 2018, don’t get caught out! Click here to read our 12 steps to GDPR compliance.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.