What have you got to lose?

Author Image Nick Hunt Technical Manager, Specialist Business Support
2 minutes read
Last updated on 23rd May 2018

Overview

GDPR gives the ICO and other regulators greater powers to take action quickly and forcefully on non-compliance. Depending on what’s gone wrong you, and your business could face a number of challenges.

GDPR Challenges

The General Data Protection Regulation (GDPR) gives the Information Commissioners Office (ICO) greater powers to take action quickly and heavily on non-compliance.

Depending on what’s gone wrong, you and your business could face a number of challenges. The following may help you consider the risks and how to manage them:

Investigation:

The ICO has powers under GDPR to investigate and correct any breaches.

If there’s a breach, depending on its severity, the ICO may ask you to: 

  • Provide some basic information and details of how you’ve corrected the breach
  • Provide information about the circumstances of the breach
  • Provide access to all personal data to evidence your compliance
  • Provide access to premises/equipment
  • Allow more detailed audits in terms of how you use personal data
  • Provide evidence to other law enforcement agencies, depending upon the seriousness of the breach.

Fines:

Fines and enforcement action will be considered on a case-by-case basis and will be based on a number of factors; this may include the nature of the breach, how many data subjects (individuals) were affected and any historic issues with the controller/processor.

There will be two levels of fines based on GDPR, depending on the level of seriousness:    

  • Up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
  • The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.

Corrective powers:

The ICO has powers to resolve issues of non-compliance: 

  • Insist upon immediate rectification, erasure or restriction of use of personal data
  • The ICO may issue Warnings and Orders to comply, or face further sanctions
  • Requirements to communicate to all data subjects affected by a breach
  • Limit the processing of data – temporary or permanently
  • Limit transfer of data outside the EEA
  • Fines, depending on the nature of any breach and other contributory factors
  • Removal of authorisation by the FCA.

Plus there’s a risk of: 

  • Claims for personal compensation for data subjects
  • Reputational damage
  • Possible further action from the regulators
  • Operational impact.

The ICO has said firms need to take a ‘risk based’ approach. You’ll need to demonstrate the steps you’ve taken to reflect how you have managed the risk.

Labelled Under:
Government Regulation GDPR

© Prudential 2020