GDPR: the Truth About Fines

This blog aims to shed some light on the different penalties and actions that can be imposed by the ICO for GDPR non-compliance, and the conditions that could lead to each one happening.

The penalty structure

The GDPR brings a two-tier penalty structure, as follows:

• Tier 1 – up to €10 million or 2% of global turnover, whichever is higher
• Tier 2 – up to €20 million or 4% of global turnover, whichever is higher

Tier 1 fines will be applied for breaches of an organisation’s obligations, among other things, whereas tier 2 fines will be applied for breaches of an individual’s privacy rights, as well as other serious violations. Under the current Data Protection Act (DPA), the ICO has an upper limit of £500,000 for non-compliance, so this does indeed represent a significant increase.

Some experts have been quick to point out how much ICO fines imposed under the DPA would cost organisations under the GDPR. High-profile fines, such as the £400k incurred by TalkTalk in 2016 for allowing hackers to access customer data, could apparently have reached staggering amounts in the tens of millions under the GDPR. Furthermore, concerns have been expressed that some of the fines levied against smaller organisations under the DPA would have potentially been enough to put them out of business under the GDPR.

Other actions

It is worth noting, however, that not all infringements will lead to fines. In addition to the two-tier penalty structure, the ICO can enforce the GDPR in the following ways:

• warnings and reprimands;
• temporary or permanent bans on data processing;
• orders to rectify, restrict or erase data;
• the suspension of data transfers to third countries, i.e. non-EU states

Rather than being issued as standard, administrative fines will be imposed on a case-by-case basis. This makes it very hard to set out exactly how much organisations will be fined, if at all, in any given situation.

Who can be sanctioned?

Under the GDPR, the ICO can take action against Controllers and Processors. This is a change from the Data Protection Act 1998 (DPA), where fines can be levied against Controllers only.

Controllers determine how and why personal data is processed, whereas Processors are responsible for processing personal data on behalf of a controller. For example, if an organisation outsources its payroll to a third party, the organisation is the Controller and the third-party company handling its payroll is a Processor. Both can be fined under the GDPR.

A bit of perspective needed

Ultimately, the exact measures that the ICO will choose to deal with any given case of non-compliance remain an unknown. The Information Commissioner herself has stated, however, that fines have always been, and will continue to be, a last resort. In fact, in the year 2016/17, the ICO concluded 17,300 cases, of which only 16 resulted in fines. And fining organisations for non-compliance is not the ICO’s only purpose; according to the Information Commissioner, education, engagement and encouragement all come before enforcement.

While it is true that fines could be significantly higher under the new regime, the point of the GDPR is not to be overly punitive or draconian. Ultimately, the new legislation is about good information handling and data management, and is designed to place the privacy of individuals above the needs of organisations. It brings much needed changes that will bring data protection law in line with modern working practices.

Of course, fines will be levied for non-compliance or negligence, but they will always be proportionate to the breach in question. Data protection and the right to privacy are serious issues, and should rightly be enforced in a way that dissuades non-compliance or negligence. The responsibility for compliance lies with each organisation, and the right level of preparation, planning and ongoing management will ensure a smooth transition come 25 May and beyond.