GDPR Enforcement and Penalties
Regulatory fines for non-compliance with the EU’s GDPR (General Data Protection Regulation) are much higher than under the UK’s DPA 1998 (Data Protection Act 1998) which preceded it. In contrast with the DPA 98’s maximum fine of £500,000, the GDPR introduced “effective, proportionate and dissuasive” administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.
However, not all GDPR infringements will lead to fines.
Besides the power to impose fines, the ICO (Information Commissioner’s Office) has a range of corrective powers and sanctions to enforce the GDPR, including:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data; and
- Suspending data transfers to third countries.
Data breaches happen. How prepared is your organisation?
Find out if your breach response plan stacks up against the requirements of the GDPR. Take our free breach readiness assessment to identify your gaps, get your overall score and receive a free personalised guide, explaining how you can address your risks.
Check your breach readiness score
What is the maximum administrative fine under the GDPR?
There are two tiers of administrative fines that can be levied as penalties for non-compliance:
- Up to €10 million, or 2% annual global turnover – whichever is higher.
- Up to €20 million, or 4% annual global turnover – whichever is higher.
Although there has been considerable media speculation about GDPR fines, the ICO has repeatedly said that it would not make early examples of organisations for minor infringements of the GDPR, nor would maximum fines become the norm.
Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.
The fines are based on the specific articles of the Regulation that the organisation has breached.
Data controllers and processors face administrative fines of
- the higher of €10 million or 2% of annual global turnover for infringements of articles:
- 8 (conditions for children’s consent),
- 11 (processing that doesn’t require identification), 25-39 (general obligations of processors and controllers), 42 (certification), and 43 (certification bodies); and
- the higher of €20 million or 4% of annual global turnover for infringements of articles:
- 5 (data processing principles),
- 6 (lawful bases for processing), 7 (conditions for consent), 9 (processing of special categories of data), 12-22 (data subjects’ rights), and 44-49 (data transfers to third countries).
Making sure that your organisation is compliant with the GDPR will reduce the chance of its incurring an administrative fine.
Learn more about the steps you need to take to comply with the GDPR >>
How are GDPR fines applied?
The GDPR’s harmonised approach to data protection requires consistent enforcement across the EU.
The EU’s Article 29 Data Protection Working Party – now replaced by the European Data Protection Board – issued guidelines on the application and setting of administrative fines in 2017.
When deciding whether to impose a fine and the level, supervisory authorities – including the UK’s ICO – must consider:
- The nature, gravity and duration of the infringement;
- The intentional or negligent character of the infringement;
- Any action taken by the organisation to mitigate the damage suffered by individuals;
- Technical and organisational measures that have been implemented by the organisation;
- Any previous infringements by the organisation or data processor;
- The degree of cooperation with the regulator to remedy the infringement;
- The types of personal data involved;
- The way the regulator found out about the infringement;
- The manner in which the infringement became known to the supervisory authority, in particular whether and to what extent the organisation notified the infringement;
- Whether, and, if so, to what extent, the controller or processor notified the infringement; and
- Adherence to approved codes of conduct or certification schemes.
Liability for damages
The GDPR also gives individuals the right to compensation for material and/or non-material damage resulting from an infringement of the GDPR.
The remedies, liabilities and penalties that could result from non-compliance with the GDPR underline the importance of preparing your organisation.
Browse our range of free resources and comprehensive solutions to help you meet your GDPR compliance objectives.
Download our free GDPR resources
Shop our range of GDPR products and services
Speak to an advisor
IT Governance’s specialists can help your organisation become GDPR compliant and avoid costly administrative fines.
Please contact our GDPR team for expert advice, and guidance on our products and services.