GDPR gives the ICO and other regulators greater powers to take action quickly and forcefully on non-compliance. Depending on what’s gone wrong you, and your business could face a number of challenges.
The General Data Protection Regulation (GDPR) gives the Information Commissioners Office (ICO) greater powers to take action quickly and heavily on non-compliance.
Depending on what’s gone wrong, you and your business could face a number of challenges. The following may help you consider the risks and how to manage them:
The ICO has powers under GDPR to investigate and correct any breaches.
If there’s a breach, depending on its severity, the ICO may ask you to:
- Provide some basic information and details of how you’ve corrected the breach
- Provide information about the circumstances of the breach
- Provide access to all personal data to evidence your compliance
- Provide access to premises/equipment
- Allow more detailed audits in terms of how you use personal data
- Provide evidence to other law enforcement agencies, depending upon the seriousness of the breach.
Fines and enforcement action will be considered on a case-by-case basis and will be based on a number of factors; this may include the nature of the breach, how many data subjects (individuals) were affected and any historic issues with the controller/processor.
There will be two levels of fines based on GDPR, depending on the level of seriousness:
- Up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
- The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The ICO has powers to resolve issues of non-compliance:
- Insist upon immediate rectification, erasure or restriction of use of personal data
- The ICO may issue Warnings and Orders to comply, or face further sanctions
- Requirements to communicate to all data subjects affected by a breach
- Limit the processing of data – temporary or permanently
- Limit transfer of data outside the EEA
- Fines, depending on the nature of any breach and other contributory factors
- Removal of authorisation by the FCA.
Plus there’s a risk of:
- Claims for personal compensation for data subjects
- Reputational damage
- Possible further action from the regulators
- Operational impact.
The ICO has said firms need to take a ‘risk based’ approach. You’ll need to demonstrate the steps you’ve taken to reflect how you have managed the risk.