GDPR gives the ICO and other regulators greater powers to take action quickly and forcefully on non-compliance. Depending on what’s gone wrong you, and your business could face a number of challenges.
The General Data Protection Regulation (GDPR) gives the Information Commissioners Office (ICO) greater powers to take action quickly and heavily on non-compliance.
Depending on what’s gone wrong, you and your business could face a number of challenges. The following may help you consider the risks and how to manage them:
The ICO has powers under GDPR to investigate and correct any breaches.
If there’s a breach, depending on its severity, the ICO may ask you to:
Provide some basic information and details of how you’ve corrected the breach
Provide information about the circumstances of the breach
Provide access to all personal data to evidence your compliance
Provide access to premises/equipment
Allow more detailed audits in terms of how you use personal data
Provide evidence to other law enforcement agencies, depending upon the seriousness of the breach.
Fines and enforcement action will be considered on a case-by-case basis and will be based on a number of factors; this may include the nature of the breach, how many data subjects (individuals) were affected and any historic issues with the controller/processor.
There will be two levels of fines based on GDPR, depending on the level of seriousness:
Up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The ICO has powers to resolve issues of non-compliance:
Insist upon immediate rectification, erasure or restriction of use of personal data
The ICO may issue Warnings and Orders to comply, or face further sanctions
Requirements to communicate to all data subjects affected by a breach
Limit the processing of data – temporary or permanently
Limit transfer of data outside the EEA
Fines, depending on the nature of any breach and other contributory factors
Removal of authorisation by the FCA.
Plus there’s a risk of:
Claims for personal compensation for data subjects
Possible further action from the regulators
The ICO has said firms need to take a ‘risk based’ approach. You’ll need to demonstrate the steps you’ve taken to reflect how you have managed the risk.