Draft Guidelines On Administrative Fines Under GDPR

Once the General Data Protection Regulation (GDPR) comes into play, in May 2018, it will be possible for any organisation that does not comply to be fined as much as 4% of annual turnover, or £20 million, whichever is the higher amount. When you compare those figures with the current maximum fine of £500,000, for data protection breaches in the UK, you can see how much of an impact the GDPR will have.

Current Guidance on Administrative Fines for Non-Compliance with GDPR

Article 29 Working Party consists of members from every data protection regulatory body in the EU. It is the advisory body for data protection issues across the EU and it has laid out criteria concerning what needs to be considered by a supervisory authority (SA) when deciding whether to impose a fine on an organisation or not. These considerations include:

  • How serious was the breach?
  • How much data was involved?
  • Was the breach intentional?
  • What was the result of the breach?
  • Did the organisation cooperate with the SA?

Every SA has the freedom to make decisions about fines, but they are expected to be consistent. The Article 29 Working Party has yet to deliver set guidelines on how to calculate the amount of the fine.

Fines Are Not The Only Option

The SA can make the decision to use other options to punish non-compliance with the GDPR. It can issue a warning, or impose any of a variety of orders. It’s up to the SA what steps it takes against an organisation, but consistency is required, and it’s expected that SA’s will liaise with each other, to ensure that fines, and other punishment measures, are imposed fairly.