GDPR fines: How high are they, and how can you avoid them?
A look at the various reasons why a company may find itself facing regulatory action
When the EU's General Data Protection Regulation came into force in May 2018, perhaps it's most contentious and fear-inducing component was its significantly harsher approach to sanctions.
The regulation grants data authorities far greater powers to bring companies to account. In the UK, the Information Commissioner's Office can now issue fines of up to 4% of a company's annual turnover, or 20 million (whichever is greater) for the worst data offences.
Although GDPR is a European regulation, more or less the same provisions, including the tougher fines, were introduced into UK law as part of the UK's Data Protection Act 2018, which worked to harmonise laws between the UK and the EU - and will continue to operate regardless of Brexit.
Hundreds of fines have already been levied against companies across Europe, the vast majority of which were in the low thousands for fairly minor infractions. However, there have been a handful of major fines that have hit the upper threshold of what's possible.
In January, French data protection authority CNIL fined Google 50 million over a lack of transparency and for failing to secure appropriate consent as part of its advertisement model.
The two largest fines to date were both levied by the UK's ICO. In July, British Airways was fined 183 million following an investigation of a data breach in September 2018, which found the company had failed to implement robust enough security policies. A day later, Marriott International was fined 99 million for similar shortcomings that led to a breach of its systems in November 2018.
The massive, regular fines that many people envisaged coming as a result of GDPR never really materialised, however, it's already clear that regulators will not shy away from issuing substantial penalties if they believe they are merited.
A tiered approach to fines
According to Article 83 of the new data protection rules, regulators will adhere to a two-tiered structure for the administration of sanctions. The higher tier carries potential fines of up to 20 million, or 4% of global annual turnover, whichever is higher. The lower tier carries a maximum fine of 10 million, or 2% of annual turnover, whichever is higher.
Article 83 stipulates that lower-tier fines should be typically handed out to those organisations who have failed to integrate data protection policies "by design and by default" into the services they offer to the public. Additionally, any company that fails to cooperate with a data regulator, regardless of the nature of a breach, is also likely to fall into this tier.
The lower tier also marks out companies that have failed to assign a data protection officer (when it's clear that one is required), those companies that fail to inform data subjects as and when their personal data is compromised, and those that fail to keep adequate records of the data they are processing.
The often panic-inducing higher tier will, on the other hand, apply only for the most serious GDPR infringements, including breaching subjects' data and privacy rights, not following the basic principles of data protection, and refusing to comply with demands and requests from the data regulator, such as a refusal to comply with a previous warning or an order on processing data. How an organisation handles user consent will also be considered.
Will you always be fined the maximum?
Despite the claims of many irresponsible lawyers and software companies in the run up to GDPR, the vast majority of enforcement actions from regulators will fall far short of the multi-million Euro fines technically possible. That's if enforcement even gets that far, as provided a company is responsible and willing to engage with regulators, sanctions can be mitigated.
The regulations also make it clear that any fine will need to be administered on a case-by-case basis, and in the spirit of being "effective, proportionate and dissuasive". This means regulators are required to assess the nature of each individual infringement, including how serious it is, the duration of the incident, its scope, the extent to which the company took steps to prevent it, and ultimately how likely the incident is to infringe on the rights of the company's data subjects.
How negligent a company has been is typically the biggest factor in determining a resulting fine, and is often cited as the reason why financial sanctions are justified. The ICO has repeatedly stated that its goal is to work alongside companies to maintain compliance and that it does not purely exist to strike fear into those it regulates - a clear willingness to get data protection right will go a long way.
That willingness, however, will need to be demonstrable. Showing you took every reasonable step to enforce data protection rules across both your organisation and supply chains, ensuring that data was not processed unnecessarily, and reporting data breaches as quickly as possible, are all clear signs of a compliant company.
James Pressley, associate solicitor at law firm Kirwans, cited a case where the ICO issued Carphone Warehouse a fine under the Data Protection Act 1998 of 400,000 - 80% of the maximum fine, also citing WhatsApp's purchase by Facebook and the undertaking the messaging service gave to the ICO not to transfer any WhatsApp UK user data to Facebook.
"When dealing with organisations of that size, it is easy to imagine that fines of the new GDPR limits could be considered 'proportionate'," he warned.
How will the ICO operate post-GDPR?
The ICO, charged with enforcing data regulation in the UK, has gained a reputation for being a conservative regulator, inclined towards leniency.
Given the scale and severity of fines possible under GDPR - 40 times greater than the maximum 500,000 under the Data Protection Act 1998 - all eyes are now on the ICO as to how it will operate.
"And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective," Denham said in a speech last August.
In the same speech, she reassured organisations that "predictions of massive fines under the GDPR that simply scale up penalties we've issued under the Data Protection Act are nonsense," indicating the ICO will continue to operate in much of a similar vein to how it has been thus far, with fines a last resort.
However, Denham was also keen to dismiss predictions of a 'grace period' for compliance, in which the ICO would be lenient in the first few months following the introduction of GDPR, given businesses have had two years to prepare.
"Elizabeth Denham, the current Information Commissioner, has given the ICO a higher profile and made it more proactive, with actions including, for example, the recent raids on the offices of Cambridge Analytica," Pressley continued.
"It would be entirely consistent with that approach for the ICO to demonstrate its new powers by imposing substantial fines, which would serve the dual purpose of bringing many private organisations into line."
She also indicated that infringements in any areas previously covered by the Data Protection Act 1998 would be viewed dimly. Conversely, organisations that self-report areas of non-compliance would be looked on favourably.
In This Article
- 1What is GDPR?
- 2GDPR fines explained - currently reading
- 3Who benefits from GDPR fines?
- 4What GDPR means for small businesses
- 5What Brexit means for GDPR
- 6What GDPR means for financial services
- 7How to perform a data protection impact assessment
- 8What is a subject access request?
- 9What is the 'right to be forgotten'?
Choosing a collaboration platform
Eight questions every IT leader should askDownload now
Performance benchmark: PostgreSQL/ MongoDB
Helping developers choose a databaseDownload now
Customer service vs. customer experience
Three-step guide to modern customer experienceDownload now
Taking a proactive approach to cyber security
A complete guide to penetration testingDownload now