Cookies Policy

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we’ll assume that you are happy to accept these cookies.To get more information about these cookies and the processing of your personal data, check our Cookies Policy.

Continue

Ince Gordon Dadds Emergency Response +442072836999

Library
Sector Insights

Enforcement of the GDPR

24.05.2018 GDPR and UK data protection, Sanctions, Compliance

NB: all references are to Articles of the GDPR unless indicated otherwise.

The new EU General Data Protection Regulation (“GDPR”) which comes into force on Friday 25 May 2018 is the toughest data protection regime in the world. It is the EU’s response to mounting public concern at unauthorised use of data or, perhaps even worse, the commercial use of personal data without even the individual owner of the data being aware that this is happening. In addition to imposing demanding obligations on the collector and processor of personal data, the GDPR also introduces tough sanctions for breaches. 

The new EU General Data Protection Regulation (“GDPR”) which comes into force on Friday 25 May 2018 is the toughest data protection regime in the world. It is the EU’s response to mounting public concern at unauthorised use of data or, perhaps even worse, the commercial use of personal data without even the individual owner of the data being aware that this is happening. In addition to imposing demanding obligations on the collector and processor of personal data, the GDPR also introduces tough sanctions for breaches. 

Enforcement by EU data authorities

Enforcement is the responsibility of the relevant Data Protection Authority (“DPA”) in the EU Member State concerned. In the UK, this is the Information Commissioner’s Office (“ICO”). The powers of the DPAs will depend on their national laws. The ICO’s powers will derive from the Data Protection Bill currently before Parliament, and these include powers to investigate breaches (either as a result of complaints or on their own initiative) and conduct “dawn raids” subject to a warrant. There are also criminal penalties for obstruction, destruction of evidence and similar offences.

To cope with its increased role and powers, the ICO has been hiring up to 200 additional staff since March 2017.

Brexit

After withdrawing from membership of the EU, the UK will become a third country from 30 March 2019.  As a result, the ICO will cease to be a DPA for the purposes of the GDPR. It remains to be seen whether the current withdrawal negotiations between the EU and the UK will lead to the ICO retaining its DPA status during the “transitional period” until at least December 2020. Under the current proposals, GDPR approvals given by the ICO (for example of Binding Corporate Rules) will remain valid after Brexit by operation of “grandfathering” rights. 

A separate question is whether the basis for the decisions granted to UK-based entities will remain valid after Brexit if the UK fails to receive an “Adequacy Decision” like Australia or Switzerland, i.e. a Commission Decision confirming that the UK’s data laws meet GDPR standards and thus permit the transfer of data from the EU to the UK without special measures such as approved Binding Corporate Rules. In January 2018, the UK Parliament voted to exit the EU Charter of Fundamental Rights: although the UK insists that its data laws will nevertheless continue to protect human rights sufficiently, it is now possible that this decision could lead to an EU assessment of UK data protection as being insufficient to merit an Adequacy Decision. The consequence might be that UK entities would then be subject to GDPR rules administered and enforced by a DPA of one of the remaining 27 EU Member States: this would create obvious difficulties for UK companies in terms of re-selecting a new supervisory DPA instead of the ICO and being subject to unfamiliar non-English national procedures.  

Fines

The DPAs have extensive fining powers (Art 83), with two broad categories of fines for major breaches and what might be called “less significant breaches”.

Major breaches of the GDPR can lead to fines of €20 million or 4% of the infringer’s global turnover, whichever is the higher. Major breaches include failures to respect the rights of data subjects (such as the right to erase data), failures to process on the basis of the one of the permitted grounds, failures to apply the prescribed procedures for special categories of data (e.g. health or genetic data), or transferring data outside the EEA without lawful process.

“Less significant breaches” can lead to fines of €10 million or 2% of the infringer’s global turnover, whichever is the higher. Such breaches include failures to comply with rules on obtaining consent for minors, failures in designing systems with built-in privacy by design or by default, security breaches and failures to notify the affected individual, or failures by the Data Protection Officer to perform his or her duties.

In setting the level of fines, the DPAs will consider the circumstances of each case, including assessing the nature and gravity of the infringement, the number of individuals affected by the breach, the intentional or negligent character of the breach, whether the infringer has been guilty of past breaches and similar factors. 

Fines under the pre-GDPR regime have been comparatively light: Honda and Flybe were fined £13,000 and £70,000 respectively for emailing customers who had unsubscribed or had not indicated consent to receive marketing emails. Most recently, Greenwich University was fined £120,000 as a result of a data breach involving a 14 year old website with defective security which resulted in the personal data of 20,000 individuals, including sensitive data, being accessed by a third party and published externally. Some commentators believe that post-GDPR fines will be substantially higher, but the ICO has been clear that it will continue to use a risk-based approach and has no intention of ‘scaling up’ the size of its fines under the new regime. However, the ICO has also confirmed that it will not hesitate to impose large fines for serious data breaches caused by large organisations which potentially involving hundreds of thousands or millions of peoples’ personal data.

How severely will the ICO and other DPAs enforce the GDPR?

A question often asked is how severe will the DPAs be regarding breaches of the GDPR? One can certainly expect the DPAs to be tough on serious breaches after 25 May 2018: after all, companies trading in the EU have had two years’ notice to take the necessary measures to comply with the new data laws since the Regulation was adopted as law by the EU Council and Parliament on 25 May 2016. A major breach, such as a failure to respect the rights of individuals, will no doubt be met with little sympathy by regulators for companies which have not introduced GDPR compliant measures or who breach their obligations through avoidable negligence. That said, the impression from the various public statements of data regulators is that they are keener to encourage and guide businesses to comply with the new data laws than to inflict punishment. One could even expect the DPAs to be relatively indulgent in the early months of the GDPR and be pragmatic rather than draconian. After all, compliance with the GDPR for a major multinational enterprise with many offices both inside and outside the EU will require considerable investment and management time: experience suggests that EU data regulators are sympathetic rather than bureaucratic and that they will welcome requests for guidance and give due recognition to sincere efforts at compliance.