Under GDPR, organisations who fail to comply and/or suffer a data breach could face a fine. In the most serious cases, this fine could be up to 17 million euros, or 4% of a company’s annual turnover.
GDPR penalties and fines
Now the Brexit transition period has ended, there are two versions of the GDPR (General Data Protection Regulation) that UK organisations might need to comply with:
- The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
- The EU GDPR, which continues to apply to the processing of EU residents’ personal data.
Learn more about the differences between the UK GDPR and EU GDPR >>
The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.
Th EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.
However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
When deciding whether to impose a fine following a data breach, the ICO will consider (amongst other things) the following:
- The severity and duration of the data breach
- Whether the breach was intentional or negligent
- If the company has had a previous data breach
- The type of personal data involved in the breach
- Whether the breach affects the rights and freedoms of the individuals affected