GDPR Penalties Explained

From May 25, The General Data Protection Regulation (GDPR) has been enforceable in all European Union Member States. What many groups do not realize is that if they have any interactions with staff members or customers who are European Union citizens, their company must adhere with GDPR legislation, no matter where their business offices are located.

A well known area of the document is the massive fines. Firms are running scared that they may lose large amounts of money for being non-compliant. Others claim it will be cheaper to pay the fines, if they get caught, than invest the money in becoming compliant.

When fines are levied a big consideration will be the efforts that the business made to be GDPR compliant. Basically an attempt to prevent breaches in personal data and honesty in reporting breaches should be evident.

The Two-Level GDPR Fine System Explained

The first level of fines is the one that most people are aware of. This is where €20m or 4% of annual income, whichever is higher, is the maximum fine applicable. There is also a second level where €10m or 2% of annual income is the ultimate penalty.

The difference between these two levels is explained in Article 83 paragraph 1 of GPDR.

In Article 83 paragraph two states the differences between the two fine levels. When ascertaining which level is most appropriate, data protection officials will review such things as:

  • The details of the infraction
  • Range or gravity of the infraction
  • How long the infringement went on for
  • EXTENT of the damage to personal data subjects: how many; degree of data impacted
  • The co-operation of the business towards compliance recorded

There is a new onus on companies to report any breaches or oversights in data protection. If they do not do so, they face severe sanctions.

Not only is the price of steep fines which could reach a high of €20m concern. The media coverage of these infractions and following penalties could damage the company’s reputation.

Staff infractions, either deliberate or accidental, may lead to company fines such as the recent occurrence at Morrison’s. A staff member’s deliberate disclosure of an employee’s personal data ended with over 5,000 employee demands for compensation. If this were to happen once GDPR is enforceable, the company would also be facing a fine as well as the employee’s compensation expenses.

How to Report a GDPR Breach

According to GDPR legislation “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Prior to GDPR those embarrassing breaches might well have gone unnoticed. However, the increased danger of large fines makes non-reporting a serious issue.

Data Controllers in each company must notify the infractions control officer (ICO) of breaches immediately. The Controller has 72 hours to file the report after the breach is identified. Any additional delay is apt to result in major fines.

Employees will be expected to inform their Data Controller of a data breach. If the breach does not pose a real security risk, the Data Controller is not obligated to contact the ICO.

Sanctions for Tier One data breaches, the most serious, can lead to the Data Controller and the company being fined up to €20m. Tier Two data breaches, less serious, face fines of up to €10m.  

Clearly, firms need to train their staff about GDPR infractions and resulting sanctions. Ignorance of the legislation will not be an acceptable excuse.