GDPR And Data Breach Penalties

SocialB Digital Marketing Blog Last modified: 18 Apr 2018 by SocialB

On May 25th, data protection rules across all of Europe will see their biggest change in two decades. The laws stating how people’s data should be handled were created in the 1990s and since then, a lot has changed. The average UK citizen uses 3.1 connected devices every day, all of these create huge amounts of digital information that could identify us. So, in short, the laws are going to change to be more suitable to the digital age, the result of this is the new European law, General Data Protection Regulation.

Because GDPR is such a huge change to the current data protection laws it has been heavily covered in the news and all over the internet and whilst we have seen many articles on tips on GDPR, assessing your weaknesses etc. We haven’t seen a lot of articles explaining the severity of GDPR and what could happen if your business were to not comply with the new laws.

One specific element of GDPR, is the power that regulators will hold to be able to fine businesses that don’t comply with GDPR Rules. If a company doesn’t process personal data in the correct way, they can be fined. If the company requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach within the company, it can be fined. So, the severity of GDPR has increased largely due to the increased possibility of a hefty fine. As well as fines it’s important to note that Supervisory authorities will have the scope to impose fines of a lower amount, or take a range of actions such as issue warnings, issue reprimands, order compliance with Data Subject requests and communicate the Personal Data breach directly to the Data Subject.

So, the fines. Article 83 of the General Data Protection Regulation states there will be two tiers of fines based on the new GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year (whichever is higher). The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year (whichever is higher). Fines for infringements will be considered on a case-by-case basis and will take a number of criteria into consideration, such as ‘the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller or processor.’

There has been a lot of discussion as to whether as soon as GDPR lands they will be handing out fines to large companies to make an example however, Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement said this, “Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.”

Email marketing will be a huge part of GDPR as most companies will need to update their databases to make sure that individuals who companies are emailing have permission to do so. There have already been large fines regarding re-permissioning emails, for example, Honda Motors had sent 289,790 emails aiming to get customers to continue receiving marketing emails. There have also been fines for sending emails to individuals who had already unsubscribed from certain emails, Flybe had received a large fine for sent more than 3 million emails to people who had said they didn’t want to receive marketing emails.

Most companies will have taken the severity of GDPR as motivation to tighten up how the use and store personal data, however, some may not take the necessary steps to prevent a data breach and will no doubt be caught out due to the severity of GDPR…

Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.

Leave a Reply

Your email address will not be published.