Fines and the GDPR

Introduction 

Much of the discussion prior to GDPR going live concerned the sizable increase in the maximum fine that the ICO could levy. Under the Data Protection Act 1998, the largest fine that could be issued was capped at £500,000, regardless the profitability or revenue of the organisation. This is how large multinationals like Sony or Facebook escaped with what seemed like a slap on the wrist.   

Under GDPR, there has been significant change. The maximum that organisations can now be fined has increased from £500,000 to 20 million euros or 4% of global turnover, whichever is greater.  

What wasn’t known back in May last year, was how the ICO would utilize these new powers – would they really fine companies hundreds of millions, if not billions, of pounds? The answer, as we now know, is yes. In July 2019 the ICO issued its first major GDPR fines – issuing British Airways and Marriott International with monetary penalties of £183m and £99m respectively. Both fines send a clear signal that the ICO is now a regulator to be taken seriously.   

Will I always be fined if I breach GDPR? 

No. The ICO has a range of options available to them in deciding how to respond to a breach of information rights. As they make clear in their Regulatory Action Policy, which sets out their approach to regulatory action, the ICO “adopt a selective approach to the action they take”. They consider each individual case on its merits and within the context of any compliance breach. Aside from fines, the ICO has a range of measures they can choose to take. “This spans observation, intelligence gathering and monitoring through to individual case and appeal considerations, as well as application of audit/assessment or inspection powers to better understand an issue, and, then, finally investigation and sanction where we need to look at and address the detail of an incident.” 

Fines, particularly the significant sums recently issued to British Airways and Marriott International, are, statistically speaking, a rarity. As set out in the ICO’s recent annual report, their aim in using their powers is to “change behaviours” to ensure that individual rights are upheld and that organisations comply with the law. Recourse to monetary penalties, under this goal, is reserved for the most egregious cases or when previous action has failed to lead to an improvement.  

If I am fined, will I always be charged the maximum?  

No. Per the ICO’s own description, there is a “hierarchy of regulatory action”, with monetary sanctions reserved for the most serious cases.  

Even when fines are issued, the ICO still assess cases on an individual basis and may choose not to levy the maximum. For example, the £183m fine for British Airways represented around 1.5% of their global turnover – so less than the maximum that could have been applied.   

What should my organisation do next?  

Fines, however large, are issued in response to breaches of the GDPR. Therefore to avoid fines, organisations simply need to meet all their data protection obligations.  

At Apomatix, we have an automated solution that will help you quickly and efficiently assess your GDPR compliance obligations. You can then use our platform to treat any outstanding items.