Will regulators actually fine businesses 4% of global turnover for committing a General Data Protection Regulation offence? What are the actual repercussions of failing to comply with GDPR?
It’s a headline-grabbing threat designed to leave you shaking at your keyboard, fearful that one wrong keystroke will siphon off €20m, or 4% of turnover, whichever hurts the most. The current maximum level of fine that can be levied under the Data Protection Act 1998 is peanuts in comparison, £500,000.
Some of the biggest fines levied by the UK’s data protection regulator, the ICO, would balloon under GDPR rules. TalkTalk’s 2016 fine of £400,000 would become nearly £60m
However, GDPR is not about fines. The ICO has made clear that maximum fines will not become the norm, nor will examples be made of big brands for minor infringements. As they’ve said, they prefer the carrot to the stick. The ICO’s record stands to reason. In 2016/17, the regulator dealt with over 17,000 cases. Only 16 resulted in a fine.
Learn more: download VinciWorks’ GDPR guide to make sure your business is ready for GDPR implementation on 25 May.
GDPR regulator not looking to cripple large businesses
The regulator has a range of tools available on a tiered basis, starting with ordering audits, issuing warnings and reprimands, demanding compliance and launching investigations. The ICO, like GDPR, is focused on getting data protection right for citizens, not fining businesses to within an inch of their profit margin.
Even GDPR takes a tiered approach to fines. Article 83 outlines two types of fines, the first is up to €10m, or 2% of annual turnover for breaches of data protection obligations, and only breaches of data subjects’ rights and freedoms will be subject to the €20m / 4% figure.
Nevertheless, breathing easy about massive fines dropping through the letterbox should not be a distraction from the very real need to do some serious compliance work around GDPR. On 30 January 2018, the High Court made it clear that companies can be found liable for data protection breaches committed by their employees. The case centered around a disgruntled Morrisons employee who leaked the personal details of 100,000 colleagues. The Court found that Morrisons should have known the employee was a data protection risk, and taken steps to restrict their access to sensitive data.
Sorting the GDPR fact from the fiction
While it is very much a myth that come 26 May 2018, multi-million pound fines will start piling up with every lost laptop and unwanted marketing call, the underlying truth is that compliance is a serious business and should be treated with the weight that the maximum penalty brings. The purpose of such eye-watering fines is not to make money for the regulator, but to underline the fact that GDPR changes the game when it comes to protecting personal information. It is no longer acceptable for any business to blatantly disregard the rights and freedoms of customers and expect no more than a slap on the wrist.
This blog is the first in a series of GDPR Mythbusters VinciWorks will be publishing to help businesses determine between helpful guidelines and scary myths.