Contravention of data protection law can result in a fine. Under the GDPR there will be a tiered approach with penalties introduced for data processors and a risk of severe fines for both data processors and data controllers.
Definition under the DPA
Sections 55A to 55E provide the Commissioner with the power to serve a monetary penalty.
Section 55A states that in the event that there has been a “serious contravention” of the data protection principles, the Commissioner may serve the data controller with a monetary penalty notice in the event that:
- “The contravention was of a kind likely to cause substantial damage or substantial distress”
- And either of the following are true:
- The contravention was deliberate; OR
- The controller ought to have known that there was a risk the contravention would occur and that the contravention was likely to cause substantial damage or distress and failed to take reasonable steps to prevent the contravention.
What does the DPA definition really mean?
Under the DPA the ICO may impose a fine in response to a data breach. Fines can only be imposed on data controllers, who are held accountable for the breaches of their data processor (subject to contractual provisions between them). Fines of up to £500,000 can be imposed depending upon the severity of the breach.
Definition under the GDPR
Article 83 provides that a Member State’s supervisory authority is empowered to impose administrative fines on data controllers and data processors that shall “in each individual case be effective, proportionate and dissuasive”.
The decision to impose a fine and the level of the fine shall be based on consideration of the circumstances of the case, including “the nature, gravity and duration of infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered” the “intention or negligent character of the infringement” and “any action taken by the controller or processor to mitigate the damage suffered by the data subjects”.
Depending upon the nature of the breach, Article 83 makes provision for infringements to be subject to a tiered system of administrative fines.
Fines of 10,000,000 EUR or in the case of undertakings, 2% of worldwide turnover (whichever is higher) may be imposed for breaches of obligations which include the following:
- Obtaining consent for processing children’s data (Article 8);
- Implementing technical and organisational measures which ensure data protection by design and by default (Article 25);
- Maintaining written records (Article 30).
Even higher fines of 20,000,000 EUR or in the case of undertakings, 4% of worldwide turnover (whichever is higher) may be imposed for breaches of provisions which include the following:
- The basic principles of processing (Articles 5, 6, 7 and 9);
- The provision of data subject’s rights (Articles 12-22).
In addition Article 84 allows Member States to impose penalties for other breaches not covered by the fines above. These penalties have to be notified to the Commission by 25 May 2018.
What does the GDPR definition really mean?
The ICO may impose a fine for a breach of data protection law, depending upon the nature of the breach and taking into account all surrounding circumstances.
Under the GDPR fines may be levied against controllers and processors.
There are two tiers of administrative fines:
- Some breaches may result in fines of 10,000,000 EUR/ 2% or worldwide turnover (whichever is higher)
- Other breaches will result in fines of 20,000,000 EUR/ 4% of worldwide turnover (whichever is higher).
What are the significant differences between the DPA and the GDPR?
Under the DPA, data controllers are held accountable for breaches by their data processor suppliers, but under GDPR, fines may be levied against both the data processor and the data controller.
Under the DPA the ICO could levy fines of £500,000. The GDPR provides supervisory authorities with the power to levy severe administrative fines of up to 20,000,000 EUR, or 4% of the worldwide annual turnover for the proceeding year if this is higher.
What effect will this have on UK businesses?
The GDPR changes the implementation of data protection law for data processors, requiring data processors to ensure their actions are compliant with data protection law.
The GDPR also makes the risk of failing to comply with data protection law a significant economic consideration for all UK businesses. The potential for severe fines combined with the requirement to notify the supervisory authority of a data breach will likely result in organisations tightening their compliance with data protection law to avoid the commercial and reputational risks.
What will my business need to do?
You should run a GDPR gap analysis to determine whether there areas where you would be non-compliant under GDPR. What is the risk exposure? Once the analysis has been completed you can prioritise steps to mitigate risk.
You should consider your liability under your existing arrangements with customers, suppliers and other partners. What is your contract position for liability and exclusion? Do these contracts need to be reviewed and re-negotiated?
You should review and update your risk registers.
You should consider whether your current insurance levels are sufficient.
Will a data breach automatically result in an administrative fine?
No. Administrative fines are discretionary and must be imposed on a case by case basis considering the surrounding circumstances set out in the GDPR. The supervisory authority may consider factors such as the nature, gravity and duration of the infringement, whether the infringement was intentional or negligent, and whether there are any previous relevant infringements.
Are fines the only type of sanction imposed by supervisory authorities?
No. Fines may be imposed instead of, or in addition to, other measures. Recital 148 clarifies that in the case of a minor infringement, or where a fine would impose a disproportionate burden on a natural person, a reprimand may be issued instead of a fine.
Can I still be fined if I am not an “undertaking”?
Yes. Recital 150 clarifies that an administrative fine can be imposed on a person that is not an undertaking, however, in those circumstances, the general level of income in the Member State will be taken into account as well as the economic situation of the person when considering the appropriate amount of the fine. Recital 150 also clarifies that the meaning of “undertaking” is the same as Articles 101 and 102 of the Treaty on the Functioning of the European Union which, broadly speaking, is an entity engaged in economic activity.
- DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
- GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data processor means a person or organisation who processes the data on behalf of the controller
- Commissioner the Information Commissioner
- ICO the Information Commissioner’s Office
This briefing is based on the law as it stands in July 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.