Now the Brexit transition period has ended, there are two versions of the GDPR (General Data Protection Regulation) that UK organisations might need to comply with:
- The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
- The EU GDPR, which continues to apply to the processing of EU residents’ personal data.
Learn more about the differences between the UK GDPR and EU GDPR >>
The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.
Th EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.
However, not all GDPR infringements lead to data protection fines. Supervisory authorities such as the UK’s ICO (Information Commissioner’s Office) can take a range of other actions, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.
The Parliament had requested for fines to reach €100 million or 5% of the company’s global annual turnover. The agreed fines are the compromise that was reached.
Fines for infringements will be considered on a case-by-case basis and will take a number of criteria into consideration, such as the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller or processor.
Further information
The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.
This includes infringements relating to:
- Integrating data protection ‘by design and by default’
- Records of processing activities
- Cooperation with the supervising authority
- Security of processing data
- Notification of a personal data breach to the supervisory authority
- Communication of a personal data breach to the data subject
- Data Protection Impact Assessment
- Prior consultation
- Designation, position or tasks of the Data Protection Officer
- Certification
The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.
This includes infringements relating to:
- The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organisation
When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:
- The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
- The intentional or negligent character of the infringement
- Any action taken by the controller or processor to mitigate the damage suffered by data subjects
- The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
- Any relevant previous infringements by the controller or processor
- The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
- The categories of personal data affected by the infringement
- The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
- Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures
- Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42
- Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
If a controller or processor makes several infringements, the total amount of the administrative fine will not exceed the fine for the most serious infringement for the same or linked processing operations.
Member States will also have the ability to apply penalties for infringements to the GDPR. The Member State will be responsible for implementing such penalties, which must be effective, proportionate and dissuasive.