The GDPR now carries the force of law not only in the UK but throughout the EU. It has been that way since 2018. Every company that collects and processes personal information pertaining to people living in the EU must comply. There are no exceptions. A failure to comply could result in significant GDPR fines or other forms of corrective action.
This post covers the top five things your company needs to know about GDPR fines. Please understand that if you are subjected to a fine, it could be quite significant. Also, understand that a GDPR audit consultant can usually deliver a gap analysis that explains exactly what you need to do to avoid non-compliance. It is strongly recommended that you subject your company to a thorough GDPR audit if one has not yet been performed.
1. Companies Are Being Fined
The very first thing to note is that companies are now being fined. EU countries and their governing authorities are absolutely serious about it. If you doubt their resolve, do a quick internet search on British Airways. You will discover that the Information Commissioner’s Office (ICO) has imposed a record £183 million fine for 2018’s data breach that exposed the personal information of roughly 500,000 customers.
British Airways is not alone. Facebook was fined £500,000 for the Cambridge Analytica fiasco that exposed user information for political purposes. Since the start of 2019, the authorities have fined Haga Hospital (Netherlands), La Liga (Spain), MisterTango UAB (Lithuania), Google (France), and others.
Prior to the record fine issued against British Airways, authorities had assessed some €56 million in fines against 91 companies. The British Airways fine blows that number out of the water.
2. Fines Are Not Mandatory
If there is anything positive here, it is the fact that fines are not mandatory. GDPR regulations give enforcement authorities broad discretion in dealing with non-compliance. When a compliance issue is revealed, the authorities can:
- issue a warning or official reprimand
- permanently or temporarily ban data processing by the offender
- order corrective measures, including restriction or deletion of data
- suspend data transfers to other countries.
It is generally assumed that fines are reserved for the most egregious cases. However, there are no guarantees that an organisation found in non-compliance would get away without financial penalty. For the record, there were more than 59,000 reported breaches in the first eight months of GDPR’s implementation. The vast majority of those cases did not result in severe financial penalties.
3. Fines Are Divided into Two Tiers
Deciding on the amount of a particular fine starts with determining what tier it falls under. There are two tiers: Tier 1 and Tier 2. The first tier applies to violations of GDPR articles 8, 11, 25-39, 42, and 43. The second tier applies to violations of articles 5-7, 9, 12-22, and 44-49.
A Tier 1 violation could result in a fine of up to €10 million or 2% of an organisation’s global turnover. Tier 2 violations carry fines of up to €20 million or 4% of global turnover. Those are some fairly large numbers. So even though fines are not mandatory, they can be quite significant. Note that in both cases, the greater of the two amounts is assessed. That explains why British Airways was fined £183 million.
4. The ICO’s Role
Enforcing the GDPR is the responsibility of individual agencies within each country in the EU. In the UK, enforcement authority rests in the Information Commissioner’s Office. The ICO website offers a plethora of information explaining the details of the GDPR, how it works, what constitutes compliance, etc.
UK companies are urged to check the ICO website for answers to their questions. Needless to say, the ICO is as serious as any other enforcement agency about ensuring compliance.
5. How to Avoid Being Fined
If you own or operate a business subject to the provisions of the GDPR, it is assumed you want to steer clear of any and all fines. You can. It is a simple matter of ensuring compliance. The place to start is having all your data protection policies and procedures audited by a professional. As previously stated, a GDPR audit consultant can usually deliver a gap analysis to show you where you need to take corrective action.
You can also check with the ICO for basic guidance. Note that their guidance is general in nature, given that the GDPR can be applied differently in certain sectors. You might need to seek out more detailed guidance for your sector. Consider seeking advice from a qualified lawyer dealing with EU representation and GDPR compliance.
Over and above the audit, understand that your company may be required by law to appoint a data protection officer (DPO). Whoever provides your audit can probably offer you guidance here as well.
The GDPR is now the law of the land throughout Europe. It is going to remain the law in the UK even after Brexit. If your company has not yet made a concerted effort to comply, take a lesson from British Airways and Facebook. Get your company in compliance before you get a visit from the ICO. You really don’t want to be fined.