This is the sixth instalment of our GDPR FAQs mini blog series. In this blog we consider what could go wrong if your organisation fails to comply with the legislation and suffers a data breach.
Our Frequently Given Response:
A lot of emphasis has been placed on the dramatic increase in fines under GDPR. The Information Commissioner’s Office (“ICO”) had the ability to levy fines of up to £500,000 under the Data Protection Act 1998. Under GDPR, those potential fines have increased to 20 million Euros or 4% of group worldwide turnover (whichever is higher) for the most egregious breaches, and 10 million Euros or 2% of group worldwide turnover for all other breaches. The two tiers can be broadly categorised as breaches that affect the data subject (which may attract the higher level of fine) and administrative breaches (which may attract the lower level of fine).
Examples of breaches which may attract a top level fine include:
infringement of the basic processing conditions, including in respect of obtaining consent and processing data lawfully and fairly;
infringement of the rights of data subjects;
infringement of the requirements relating to international transfers of data, including ensuring there are appropriate safeguards in place; and
failure to implement or adhered to a subject access request process.
Breaches which may attract a lower level of fine include:
failure to implement privacy by design measures;
failure by a data controller in respect of the engagement of data processors;
failure of a process to process data only in accordance with the controller’s instructions;
failure to report breaches to the ICO; and
failure to appoint a data protection officer, if required.
Breach of GDPR – Is the hype warranted?
Although the numbers are intimidating, the ICO has explained that its approach to GDPR non compliance is not to penalise organisations to such an extent that they may be put out of business, but to encourage best practice. It will consider the size of the organisation as well as the severity of the breach when determining a fine. There are also other steps that the ICO is likely to take before issuing a fine. The ICO may choose to conduct an investigation or an audit to understand the ways in which personal data is processed by an organisation. The ICO may also provide advice and guidance to an organisation to help it improve its processes.
Breach of GDPR – What about directors?
Directors, managers, secretaries or other officers/persons purporting to act in a similar capacity may be liable to proceedings and action (usually in the form of a fine) if a company commits an offence under the Data Protection Act 2018 (which supplements GDPR in the UK) and the offence was committed with the “consent or connivance of or was attributable to neglect on the part of” the director, manager, secretary or officer or person.