Disclaimer – We are not providing any legal advice or consultation pertaining to GDPR or other compliance issues. Please consult with your legal teams and resources to ensure they are aware of their obligations under applicable regulations.
With GDPR coming into force on 25th May 2018 the clock is ticking to get your business fully GDPR compliant.
A topic that keeps coming up that businesses are eager to know is what will happen if they are found to be non-compliant with GDPR after the go live date?
It’s widely known that if found to be non-compliant then the business can incur fines of up to 20 million euros or 4% of their annual turnover (whichever is higher), but this is not the only penalty that can be expected and according to Article 83 of the GDPR it ultimately depends on the infringement that has occurred to what penalty can be expected.
Artice 83 dictates that there are two levels when it comes to the administrative fines for non-compliance, level one and level two. As a general rule, breaches of the Controller or Processor will result in a fine from level one, and breaches of the data subjects rights and freedoms will result in a fine from level two.
- Level One: up to 10 million euros or 2% of the annual turnover
- Level Two: up to 20 million euros or 4% of the annual turnover
The value that is decided upon is not strictly defined and it is largely dependant upon the behaviour of the business and the reasoning for why the non-compliance has taken place. If the business in question actively reports that there has been a breach, takes steps to minimise the damage and can prove that steps were in place beforehand to avoid the breach and to comply, then the authorities will take this into consideration.
The decision of the actual amount of the fine will be down to the authority to decide, when deciding they have the scope to:
- Impose a lower fine
- Issue a warning
- Order Compliance with data subject requests
- Communicate the personal data breach directly to the data subject
In order to reduce the odds of receiving a maximum fine in the event of a data breach, businesses need to ensure that they have satisfactory policies and procedures in place to be able to identify breaches, actions that need to be completed in the event of a breach etc. Businesses should actively communicate the breach with the authorities and ensure that they do all they can to help and comply with the authority.