What penalties could I face if I do not comply with GDPR?

17 Jan, 2018

Since the start of the New Year, the media has revved up its coverage of GDPR (General Data Protection Regulations for anyone who does not have that etched on their brain yet!)  We are seeing more and more enquiries for our training courses with businesses wanting to know what they can do on a practical level to make sure they are compliant.  We are busy putting plans in to action ourselves to make sure that as a business we protect the vast amounts of data that we have.  But for those businesses who perhaps haven’t thought about it yet, or worse still think the Regulations do not affect them, what could be the consequences of failure to comply with GDPR?  Here we take a look at the penalties for non-compliance.

GDPR gives the ICO (Information Commissioner’s Office) more power to investigate and enforce than the Data Protection Act.  They key change is the power to levy more substantial fines which will not come as good news to businesses. Further, these can now be levied against both a data controller and a data processor if necessary.

Under GDPR the ICO can impose fines of up to 20 million Euros or 4% of the group worldwide turnover (whichever is the greater) against both data controllers and data processors.  It is likely that certain infringements will be seen as ‘top level’ and will attract the higher fines.  This will include things such as:

• The basic processing conditions, including obtaining consent;
• Infringement of the rights of data subjects;
• International transfer of personal data;
• Failure to implement or comply to a subject access request process

Less serious breaches may include:

• Failure to implement measures to ensure privacy by design;
• Failure by a controller in relation to the engagement of processors;
• Failure of a processor to process data only in accordance with the controller’s instructions;
• Failure to report breaches;
• Failure to appoint a data protection officer where one is required under GDPR.

These lower level breaches could still attract fines of up to 10 million Euros or 2% of the group worldwide turnover (whichever is the greater) – still a hefty amount!

As well as fines, the ICO could do any of the following:

• Conduct audits;
• Review certifications;
• Issue warnings and reprimands to controllers and processors that have breached GDPR;
• Impose limitations and restrictions around the breaching party’s ability to process data.

Also bear in mind that the biggest penalty could be to your own and your business reputation.

So, what does all this mean?

Whilst there is a lot of scaremongering around about these penalties, the reality may well be that as long as businesses are seen to have policies and procedures in place and to be trying to comply they may be safe.  Equally, as often happens with new legislation, there will be some test cases and no doubt some businesses will be used to make examples of.  The reality is that GDPR affects ALL businesses.  Why run the risk of being that ‘example’ business?

For any business reading this article and thinking that now may be the time to be doing something about GDPR but not sure where to start, we can help.  We have training courses available as well as two fully trained GDPR practitioners who can provide consultancy to businesses that would like a more hands on approach to assistance with GDPR compliance.  For more information call our Client Services team on 01905 670303 or e-mail info@isoqsltd.com

https://www.isoqsltd.com/