Latest Blogs

This is the sixth instalment of our GDPR FAQs mini blog series. In this blog we consider what could go wrong if your organisation fails to comply with the legislation and suffers a data breach.

Our Frequently Given Response:

A lot of emphasis has been placed on the dramatic increase in fines under GDPR. The Information Commissioner’s Office (“ICO”) had the ability to levy fines of up to £500,000 under the Data Protection Act 1998. Under GDPR, those potential fines have increased to 20 million Euros or 4% of group worldwide turnover (whichever is higher) for the most egregious breaches, and 10 million Euros or 2% of group worldwide turnover for all other breaches. The two tiers can be broadly categorised as breaches that affect the data subject (which may attract the higher level of fine) and administrative breaches (which may attract the lower level of fine).

Examples of breaches which may attract a top level fine include:

Breaches which may attract a lower level of fine include:

Breach of GDPR – Is the hype warranted?

Although the numbers are intimidating, the ICO has explained that its approach to GDPR non compliance is not to penalise organisations to such an extent that they may be put out of business, but to encourage best practice. It will consider the size of the organisation as well as the severity of the breach when determining a fine. There are also other steps that the ICO is likely to take before issuing a fine.  The ICO may choose to conduct an investigation or an audit to understand the ways in which personal data is processed by an organisation. The ICO may also provide advice and guidance to an organisation to help it improve its processes.

Breach of GDPR – What about directors?

Directors, managers, secretaries or other officers/persons purporting to act in a similar capacity may be liable to proceedings and action (usually in the form of a fine) if a company commits an offence under the Data Protection Act 2018 (which supplements GDPR in the UK) and the offence was committed with the “consent or connivance of or was attributable to neglect on the part of” the director, manager, secretary or officer or person.

If you are concerned about the implications of GDPR non compliance and would like to discuss in more detail, please contact Matthew Hattersley or Florence Maxwell.


Blog via