Reporting breaches
The most serious event to comply with is a data breach.
All companies must report a data breach without excessive delay and within 72 hours. This breach must be reported to the supervisory authority (ico) and the data subject.
Complying with the gdpr is not only good practice but also ensure legal obligations are followed. Failure to comply can cause problems not only for your company but the people you work with and the individuals you collect data on.
Penalties
If your company fails to comply with GDPR legislation, then it may be possible that you may receive some form of sanction.
Depending on the severity of the infringement will decide the severity of punishment.
When monetary fines are imposed, there are two tiers.
The first tier is less severe, with fines up to 2% of annual global turnover or up to €10,000,000, (whichever is greater).
The GDPR has given each individual regulation its own article number, so it is easier to understand and follow how each regulation is broken down into categories.
Penalties
Failures of compliance that can carry a monetary fine in this tier include infringements of articles:
→ article 8: conditions of children’s consent
→ article 11: processing that doesn’t require identification
→ article 25–39: obligations of data processors and controllers
→ article 42: certification
→ article 43: certification bodies.
Penalties
The second tier of fines that can be imposed is:
The GDPR set a maximum monetary fine of 4% of annual global turnover or €20,000,000, (whichever is greater) for organisations that infringe GDPR requirements.
These fines are discretionary and not mandatory when there is an infringement on GDPR legislation.
Any fine imposed must be on a case-by-case basis.
It must also be effective and proportionate to the severity of the infringement.
Additional information for Penalties
Failures of compliance that can carry a monetary fine in this second tier include infringements of:
→ article 5: data processing principles
→ article 6: lawfulness of processing
→ article 7: conditions for consent
→ article 9: processing of special category data
→ article 12–22: data subject rights
→ article 44–49: data transfers to third countries or international
Not all gdpr infringements result in data protection fines.
Supervisory authorities such as the ico can take other actions such as:
→ giving out warnings and reprimands
→ imposing bans on data processing both temporary or permanently
→ enforcing the rectification, restriction or erasure of data
→ suspension of data transfers to third countries.
Before any punishments are imposed on a business, there are a number of things to consider, such as:
→ the nature, severity and duration of the infringement
→ if the infringement was intentional or through negligence
→ did the company have technical and organisational measures in place to mitigate data breaches?
→ if the company has any previous history of gdpr infringements
→ the type of data involved
All penalties should be fair and reflective of any infringements, and companies should take every step possible to ensure compliance of the GDPR.
Summary
In this final module, we have looked at the responsibilities and obligations your business has to comply with under GDPR.
The key things we have learnt are:
1 how being accountable for your business activities demonstrates good practice. A business can demonstrate this simply by enforcing data protection policies.
2 how the ico enforces compliance of gdpr rules. Failure to comply can result in penalties for a company
3 the penalties your business can incur and how to avoid them. These penalties can be monetary or can stop a company from processing data altogether