Contravention of data protection law can result in a fine. Under the GDPR there is a tiered approach with penalties in place for both data processors and data controllers.
Definition under the GDPR
Article 83 provides that a Member State’s supervisory authority is empowered to impose administrative fines on data controllers and data processors that shall “in each individual case be effective, proportionate and dissuasive”.
The decision to impose a fine and the level of the fine is based on consideration of the circumstances of the case, including “the nature, gravity and duration of infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered” the “intention or negligent character of the infringement” and “any action taken by the controller or processor to mitigate the damage suffered by the data subjects”.
Depending upon the nature of the breach, Article 83 provides for infringements to be subject to a tiered system of administrative fines.
Fines of 10,000,000 EUR or in the case of undertakings, 2% of worldwide turnover (whichever is higher) may be imposed for breaches of obligations which include the following:
- Obtaining consent for processing children’s data (Article 8);
- Implementing technical and organisational measures which ensure data protection by design and by default (Article 25);
- Failing to notify the supervisory authority about a personal data breach (Article 33)
- Maintaining written records (Article 30).
Even higher fines of 20,000,000 EUR or in the case of undertakings, 4% of worldwide turnover (whichever is higher) may be imposed for breaches of provisions which include the following:
- The basic principles of processing (Articles 5, 6, 7 and 9);
- The provision of data subject’s rights (Articles 12-22).
- The provisions relating to data transfers outside of the EEA (Articles 44-49)
What does the GDPR definition really mean?
The GDPR provides supervisory authorities with the power to levy severe administrative fines of up to 20,000,000 EUR, or 4% of the worldwide annual turnover for the proceeding year if this is higher. Under the GDPR, fines may be levied against both the data processor and the data controller.
Since its implementation, there have been several high profile examples of onerous penalties being implemented for breaches of the GDPR. Despite this, it is worth noting that such fines are not necessarily reflective of the general trend – indeed, the trend on the whole has in fact been towards lower fines than under the previous regime. In the first 12 months, a total of €55.96million in fines was handed down by the EU’s various supervisory authorities, although €50million of this was doled out by France’s National Data Protection Commission to Google in May 2018 for breaches concerning the personalisation of adverts and failure to meet obligations in respect of transparency and information. Since then we’ve seen the ICO issue its biggest fine to date - £183million to British Airways for a hack which occurred in June 2018, just a few short weeks after the GDPR came into force.
What effect has this had on UK businesses?
The GDPR changed the implementation of data protection law for data processors, meaning that data processors must now work harder to ensure their actions are compliant with data protection law, or risk a fine.
The GDPR also made the risk of failing to comply with data protection law a significant economic consideration for all UK businesses. The potential for severe fines combined with the requirement to notify the supervisory authority of a data breach will likely result in organisations tightening their compliance with data protection law to avoid the commercial and reputational risks.
What should my business be doing?
If you haven’t already, you should run a GDPR gap analysis to determine whether there are areas where you would be non-compliant under GDPR. What is the risk exposure? Once the analysis has been completed you can prioritise steps to mitigate risk.
You should consider your liability under your existing arrangements with customers, suppliers and other partners. What is your contract position for liability and exclusion? Do these contracts need to be reviewed and re-negotiated?
You should review and update your risk registers and consider whether your current insurance levels are sufficient.
Will a data breach automatically result in an administrative fine?
No. Administrative fines are discretionary and must be imposed on a case by case basis considering the surrounding circumstances set out in the GDPR. The supervisory authority may consider factors such as the nature, gravity and duration of the infringement, whether the infringement was intentional or negligent, and whether there are any previous relevant infringements.
Are fines the only type of sanction imposed by supervisory authorities?
No. Fines may be imposed instead of, or in addition to, other measures. Recital 148 clarifies that in the case of a minor infringement, or where a fine would impose a disproportionate burden on a natural person, a reprimand may be issued instead of a fine.
Can I still be fined if I am not an “undertaking”?
Yes. Recital 150 clarifies that an administrative fine can be imposed on a person that is not an undertaking, however, in those circumstances, the general level of income in the Member State will be taken into account as well as the economic situation of the person when considering the appropriate amount of the fine. Recital 150 also clarifies that the meaning of “undertaking” is the same as Articles 101 and 102 of the Treaty on the Functioning of the European Union which, broadly speaking, is an entity engaged in economic activity.
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data processor means a person or organisation who processes the data on behalf of the controller
- ICO means the Information Commissioner’s Office, the UK’s supervisory authority.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.