How to Avoid GDPR Administrative Fines

23 November 2017

Author: Faye Phillips


How to avoid GDPR administrative fines

Data protection regulations are set to get stricter under the new General Data Protection Regulation (GDPR) which comes into effect in May 2018.

The power to impose fines against those who breach the GDPR will change significantly and there will be a dramatic increase in the amount of fines organisations may find themselves facing - from £500,000 to €20 million. Some businesses may even find themselves at the risk of insolvency if they are found to be in breach of the GDPR.

There will be a new tiered approach in respect of fines and penalties will be adopted to cover a wide range of infringements. These will apply to both controllers and processors.

Supervisory authorities will have the ability to impose much more substantial fines.

Administrative fines are discretionary, to be imposed on a case by case basis and supervising authorities must ensure each fine is “effective, proportionate and dissuasive.”

Certain lesser infringements will be subject to fines of up to €10 million or 2 per cent of the total global turnover, whichever is greater. If in breach of GDPR, your business could be fined up 4 per cent of annual global turnover or €20 million, whichever is greater, for the most serious of offences.

Member states can determine the extent to which public authorities may be subject to an administrative fine.

Administrative fines will be discretionary and take into account:

  • The nature, gravity and duration of the infringement;
  • Number of data subjects affected and the level of damage suffered;
  • Intentional or negligent character of the infringement;
  • Any action taken to mitigate the damage;
  • The degree of responsibility of the controller or processor;
  • Any relevant previous infringements by the controller;
  • The degree of cooperation with the supervisory authority;
  • Where measures have previously been ordered against the controller or processor, compliance with those measures;
  • Adherence to approved codes of conduct;
  • Any other aggravating or mitigating factor applicable to the circumstances of the case.

Organisations need to be doing everything they can now to prepare for the implementation of the GDPR. There is a lot to get to grips with and the implications are severe in the event of non-compliance.

For further information please contact Carson McDowell on 028 90 244 951.