GDPR Q&A: Penalties and fines

In June, IT Governance kicked off its EU GDPR webinar series with ‘Preparing for the EU GDPR: An introduction’. The webinar, presented by founder and chief executive officer Alan Calder, provided an introduction to the General Data Protection Regulation and the requirements organisations need to meet in order to comply with the Regulation before it comes into force in May 2018.

As expected, many of you asked questions about the GDPR during the webinar. This blog provides Alan’s answers to questions about penalties, fines and breaches under the new Regulation.

Will organisations be fined at the highest rate even if they demonstrate that the necessary measures have been taken to reduce the breach risk?

“The GDPR says that fines are intended to be ‘effective, proportionate and dissuasive’, but also have to take into account what the organisation has done in order to meet the GDPR requirements.

“For example, if an organisation is negligent and does not meet the GDPR requirements by 25 May 2018 and a data breach of 50,000 sets of personal information is released without information being encrypted, the organisation could expect the maximum fine. If, however, the organisation has made significant progress in achieving compliance, implemented an information security management system, encrypted personal data and has a data breach reporting process in place, then the organisation has taken all the necessary measures, which means that the data breach risk is quite low. Ultimately, the decision about fines will be made by the supervisory authority in line with the rule of law and proportionality.”

Do financial penalties apply to charities?

“Charities should assume that the GDPR applies to them as much as it applies to any other organisation. Charities have limitations in terms of permissions they need to handle the data, but there’s greater room for manoeuvre around what data they can process and what permissions they have to get from other controllers. However, charities should assume that penalties apply to them as much as they apply to anyone else.”

Who is responsible for informing a data subject in the event of a breach?

“This responsibility falls on the data controller, which is the organisation that collects the data. Moreover, the binding contractual relationship with the data processor should ensure that if your data processor is breached they inform you in time for you to meet your reporting obligations to your supervisory authority. If the processor has wide knowledge of the data, they might have more up-to-date information than you do, so you need to be clear how you as the controller are notified and how the individuals themselves are notified of the data breach.”

To register for the remainder of the series, click here >>

Did you miss our first webinar? Don’t worry! You can access the presentation slides and webinar recording here >>

You may also be interested in:


Share now…

Share on Twitter Share on Facebook Share on LinkedIn