The General Data Protection Regulation (GDPR) came into force on the 25th May 2018. It replaced the Data Protection Directive 95/46/EC with the purpose of strengthening and unifying data privacy laws across Europe.
The EU directive has had far-reaching impact for all organisations that handle individual’s personal data, irrespective of where the organisation is based or the nationality of the individual data subject. Any company that transfers personal data outside the EU to third countries or international organisations will also be subject to strict compliance with the conditions of the GDPR.
It is advisable to seek legal advice to ensure that all conditions are being met since organisations may be subject to GDPR fines if found to be in breach of these regulations.
What is the GDPR?
The primary objective of the GDPR is to give individuals control of how their personal data is used and to ensure that they have full transparency of how the data is obtained and who has access to it.
This also ensures EU citizens the right to raise complaints if they are not happy with how their data has been collected and shared, even if they are not in the country where the data is stored and processed.
According to the GDPR rules organisations must prove that they:
a. Only process data for authorised purposes
b. Ensure data accuracy and integrity
c. Minimise each data subject’s identity exposure
d. Implement data security measures
Both data controllers and data processors are required to abide by the data protection legislation.
GDPR fines and enforcement action
The Information Commissioner’s Office (ICO) has a number of enforcement powers when dealing with GDPR compliance breaches. The ICO can issue warnings and reprimands to an organisation which could lead to discretionary GDPR fines being issued.
Your organisation may find it has a temporary or permanent ban imposed on data processing. Your organisation could be ordered to rectify, restrict or completely erase data, and data transfers to third countries may be suspended.
In addition to these enforcement powers, if your organisation has committed a data breach then you may be liable for claims for damages and will face the risk of harm to the organisation’s reputation.
In more severe cases where your company is found to be in breach of the new EU compliance standards, you could face an administrative fine for non-compliance.
Fines for infringements are considered on a case by case basis and are dependent upon a number of criteria, such as the specific regulation that is alleged to have been breached, the nature and gravity of the infringement, the actions taken by the controller or processor to protect the personal data and any previous infringements from the controller or processor. They must be “effective, proportionate and dissuasive”.
There are two levels of fine:
a. The first is the higher of €10 million or 2% of the company’s global turnover – this can be imposed for infringements such as where a company does not have their records in order (under article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. This fine may also be imposed where secure breaches have been committed. If your organisation is found to have not taken adequate measures to ensure the safety of electronic personal data held. The level of security required depends on many factors including the sensitivity of data stored. There is no one size fits all with measures taken to ensure the security of personal data, but some things to consider would be data encryption for file transfers, adequate security systems to prevent cyber theft and personnel passwords for access to data.
b. The second is the higher of 4% of the global turnover or €20 million for the most serious infringements which could include breaches of data subjects’ rights and freedoms. Examples of these may be any unlawful processing of personal data, such as knowingly transferring data to a third country without prior consent of the data subject or sharing personal data for fraudulent purposes.
Generally, infringements of an individual’s privacy rights will be subject to the higher level whereas non-compliance with organisational obligations such as data security breaches will be subject to the lower level.
Avoiding GDPR fines: What happens if someone makes a GDPR complaint against your organisation?
Article 77 of the GDPR states that every individual has the right to file a complaint if they feel that the processing of personal data infringes on the regulation.
If an individual believes that your organisation has not responded correctly to a request for information, they may raise a complaint with the Information Commissioner’s Office (ICO). If the complaint is not resolved between your organisation and the individual, then the ICO will issue a decision notice which will inform your organisation of the steps to take to put things right.
Failure to comply with the decision notice will lead to further action being taken by the ICO, which could lead to criminal proceedings and GDPR fines being issued.
However, your organisation has the right to appeal the decision of the ICO and may take the complaint to a tribunal. This will require substantial preparation and investigation, and it is advisable to seek legal advice if intending to appeal.
Should the ICO decide that the breach falls outside of the scope of a decision notice, they may decide to issue an enforcement notice. The commissioner may also issue an enforcement notice for repeat offenders.
The ICO will not usually take enforcement action without discussing with your organisation any difficulties with compliance to allow opportunity to address the fundamental causes of any breach.
Avoiding GDPR fines: What to do if you discover a data breach
Should you become aware of a data breach within your organisation, you are legally bound to notify the local data protection authority within 72 hours.
The GDPR requires a full description of the nature of the personal data breach to be disclosed. How many individuals are affected? What are the possible consequences and what measures your organisation has taken to deal with the breach?
You will also need to notify the owners of the breached records, and in some cases the ICO, without due delay, after first becoming aware of the breach. It is important to keep records of any breach as evidence for the ICO.
For example, if a customer database has been stolen, this could lead to the data being used to commit identity fraud. The individuals whose data had been stolen and the ICO would need to be contacted as the individuals may suffer financial loss, or other consequences, as a result of this breach. Each individual data subject affected may also be entitled to compensation where an infringement of their rights has caused personal or reputational damage.
Is it possible to appeal against GDPR fines?
If your organisation is issued a fine for breaching the GDPR, you may be able to challenge the fine if you have sufficient grounds.
You must be able to prove that you have put in place appropriate checks to prevent any beaches occurring, including data security.
Appeals are heard by the First-Tier Tribunal (information rights), part of the General Regulatory Chamber (GRC). You will need to file a notice to appeal with the First-Tier Tribunal within the first 28 days of receiving the decision notice from the ICO.
If the appeal is unable to be settled due to any further complications, it may then be passed on to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal will also deal with appeals against the decisions made by the First-Tier Tribunal.
Compliance to avoid GDPR fines
The most effective way to avoid GDPR fines is to ensure that your organisation complies with the legislation. These fines are substantial and as such it is advisable that you seek legal advice to ensure that your company is compliant with all the regulations.
Author
Gill Laing is a qualified Legal Researcher & Analyst with niche specialisms in Law, Tax, Human Resources, Immigration & Employment Law.
Gill is a Multiple Business Owner and the Managing Director of Prof Services - a Marketing Agency for the Professional Services Sector.
