General Data Protection Regulation: administrative fines
On 25 May 2018, the General Data Protection Regulation (GDPR) will be the applicable law in the EU on the processing of personal data and free movement of data, replacing the Data Protection Act 1998 in the UK.
The GDPR will be directly applicable in all Member States. Under the GDPR an organisation can face administrative fines of up to €20 million or 4% of the group's total worldwide annual turnover, whichever is higher. This is significantly more than the current maximum fine of £500,000.
The EU's final guidelines on the application and setting of administrative fines under the GDPR provide guidance to supervisory authorities on the imposition of administrative fines. The Information Commissioner's Office is the UK's supervisory authority.
In determining whether a fine should be imposed and the amount of the fine, supervisory authorities are expected to consider a number of criteria including:
- the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of people affected and the level of damage suffered by them;
- the intentional or negligent character of the infringement;
- any action taken by the data controller or processor to mitigate the damage suffered by people;
- the degree of responsibility of the data controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 (data protection by design and default) and 32 (security of processing);
- the degree of co-operation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
- and the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the data controller or processor notified the infringement.
- Check that you have systems in place to comply with the GDPR.
- Familiarise yourselves with the guidelines because they will be considered by supervisory authorities in imposing administrative fines.