General Data Protection Regulation (GDPR)
GDPR penalties and enforcement
The General Data Protection Regulation (GDPR) became a binding law on 25 May 2018 across all of the European Union countries.
Like the preceding data protection legislation, it provides a suite of sanctions to help organisations and business comply. These include:
- warnings and reprimands
- corrective orders
- temporary or permanent ban on data processing
- ability to carry out audits
- ordering rectification, restriction or erasure of data
- suspending data transfers to third countries
- monetary penalties
Some of these sanctions will apply to both controllers and processors, and may significantly impact day-to-day operations, eg suspending data transfers or stopping processing.
The Information Commissioner's Office (ICO) is responsible for enforcing the GDPR in the UK.
The GDPR monetary penalties fall into two classifications:
- for less severe breaches, the maximum fine is €10 million or two per cent of a company's annual revenue, whichever is greater
- for more severe breaches, the maximum fine is €20 million or four per cent of a company's annual revenue, whichever is greater
While the ICO has the powers to impose maximum penalties on businesses that are found in gross breach of the regulations, this doesn't mean that each and every infringement will lead to serious fines.
The fines are discretionary rather than mandatory and the ICO has given assurances that they will impose them proportionately, on a case-by-case basis, and typically as a last resort.
When setting the fine, the ICO will consider a range of factors, including:
- the nature, gravity, and duration of the infringement
- the number of people affected and the extent of the damage to them
- whether the breach was intentional or negligent
- any previous history of noncompliance
- any action taken to mitigate the damage
- whether the controller notified the ICO of the infringement and co-operated
See more on reporting serious breaches of personal data.
Costs of non-compliance with the GDPR
Fines will only be one of the aspects contributing to the financial loss you may suffer as a result of a GDPR breach. You will have to consider also:
- compensation claims for damages suffered by individuals
- reputational damage
- loss of consumer trust
Remember to also apply the appropriate technical and organisational measures to protect the personal data you hold and process. Read more about the GDPR security principle or browse detailed guides on:
- cyber security for business
- protect your business online
- protect your business from ransomware
- IT risk management
Use our GDPR compliance checklist to work through the steps involved in complying with the new regulation.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.