What have you got to lose?
GDPR gives the ICO and other regulators greater powers to take action quickly and forcefully on non-compliance. Depending on what’s gone wrong you, and your business could face a number of challenges.
The General Data Protection Regulation (GDPR) gives the Information Commissioners Office (ICO) greater powers to take action quickly and heavily on non-compliance.
Depending on what’s gone wrong, you and your business could face a number of challenges. The following may help you consider the risks and how to manage them:
The ICO has powers under GDPR to investigate and correct any breaches.
If there’s a breach, depending on its severity, the ICO may ask you to:
- Provide some basic information and details of how you’ve corrected the breach
- Provide information about the circumstances of the breach
- Provide access to all personal data to evidence your compliance
- Provide access to premises/equipment
- Allow more detailed audits in terms of how you use personal data
- Provide evidence to other law enforcement agencies, depending upon the seriousness of the breach.
Fines and enforcement action will be considered on a case-by-case basis and will be based on a number of factors; this may include the nature of the breach, how many data subjects (individuals) were affected and any historic issues with the controller/processor.
There will be two levels of fines based on GDPR, depending on the level of seriousness:
- Up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
- The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
The ICO has powers to resolve issues of non-compliance:
- Insist upon immediate rectification, erasure or restriction of use of personal data
- The ICO may issue Warnings and Orders to comply, or face further sanctions
- Requirements to communicate to all data subjects affected by a breach
- Limit the processing of data – temporary or permanently
- Limit transfer of data outside the EEA
- Fines, depending on the nature of any breach and other contributory factors
- Removal of authorisation by the FCA.
Plus there’s a risk of:
- Claims for personal compensation for data subjects
- Reputational damage
- Possible further action from the regulators
- Operational impact.
The ICO has said firms need to take a ‘risk based’ approach. You’ll need to demonstrate the steps you’ve taken to reflect how you have managed the risk.
Consider your data security
You’ll need to take a risk based approach when considering the appropriate level of security for the personal data you process, including its use, storage and transfer.
Use our checklist top ensure your business is GDPR compliant.
ARTICLE by The Technical Team