The General Data Protection Regulation (“GDPR”) coming into force in May 2018 empowers national supervisory authorities to issue fines of up to €20 million, or 4% of an organisation’s annual global turnover for certain data protection infringements. These figures have generated headlines and news stories around the globe, many of them misleading. The Information Commissioner, in her post of December last year, warned of ‘scaremongering because of misconceptions’. We seek to put the headline grabbing figures in context, by examining the range of administrative sanctions available to national supervisory authorities for dealing with infringements of GDPR and the criteria they will use when selecting them. In doing so we shed light on how organisations can prepare for, and react to, any data protection infringements to reduce the risk of a heavy fine.
ICO powers- the Enforcement Toolbox
The decision on what corrective measures should be imposed on an organisation for an infringement or potential infringement of GDPR rests with the relevant national supervisory authority, the UK authority is the Information Commissioner’s office (“ICO”). Fines are just one part of what has been termed the ‘enforcement toolbox’. This also includes the power to issue warnings and reprimands, order compliance, and impose restrictions or bans on processing data. If a fine is deemed appropriate then the ICO will have considerable discretion to set the level. There are different maximum fines for different breaches but no fixed penalties or minimum fines. Though the ceilings are higher (at present the maximum monetary penalty is £500,000.00) this approach to fines is similar to the current regime. Under that regime no organisation has received the maximum permitted monetary penalty from the ICO (the highest ever fine was the £400,000 fine issued to TalkTalk for failings in connection with a cyber-attack), and in 2016/2017 of the 17,300 cases concluded only 16 resulted in fines for the organisations concerned.
The GDPR empowers the ICO to create tailor made solutions to deal with infringements brought to their attention. This does not mean that organisations can relax about compliance but diligent small and medium-sized organisations can take comfort in the fact that they are unlikely to face the sort of punishments designed to bring rogue tech giants to heel.
To fine or not to fine? – Factors National Supervisory Authorities Will Consider when Imposing and Quantifying a Fine
Article 83(2) GDPR outlines the factors to be taken into account by national supervisory authorities when deciding whether an administrative fine is appropriate, and what level such a fine should be set at. Some of these factors focus on the impact of the infringement, including the number of data subjects affected; the level of damage suffered by them; and the categories of personal data affected by the infringement. They serve as a reminder that data controllers and processors should always be conscious of the nature of the data that they control and process, and ensure that adequate mechanisms are in place. Organisations or individuals dealing with large amounts of data and/ or special categories of personal data will be particularly vulnerable to more stringent corrective measures and fines.
Other factors to be taken into account focus on the conduct of the controller or processor. The ICO will take into account past conduct; conduct that led to the breach; and conduct following the breach. When taking into account past conduct the ICO will look into adherence to approved codes of conduct, whether there have been any relevant past breaches, and how the controller or processor has previously reacted to any action by a supervisory authority. When examining conduct which led to the infringement the ICO will look into whether the infringement was negligent or deliberate, the purpose of the processing that led to the infringement, and the degree of responsibility of the controller or processor. When examining conduct following an infringement the ICO will consider whether and to what extent the controller notified them of the infringement, any action taken by the controller to mitigate damage to data subjects, and the degree of co-operation with the ICO. Organisations or individuals with comprehensive plans and policies in place to prevent infringements and to deal with any infringements that occur will benefit when it comes to the ICO’s assessment of the level of corrective measures. Those that deal openly, efficiently and constructively with the ICO are very unlikely to face the maximum fines.
As with any new regime, there will be a degree of uncertainty around the imposition of fines and other corrective measures when the GDPR comes into force. The EU Working Party on Data Protection adopted guidelines on administrative fines on 3 October 2017 which state that ‘[t]he point is to not qualify the fines as last resort, nor to shy away from issuing fines’ whilst the Information Commissioner stated in August that ‘[i]ssuing fines has always been and will continue to be, a last resort.’ However, two points seem clear from all that has come from both of these organisations. First, approaches to infringements will be individualised and proportionate, and will not necessarily include fines. Secondly, organisations and individuals who are diligent in their data protection planning, act in good faith, and co-operate with supervising authorities will be the least likely to have the most restrictive corrective measures, or the heaviest fines, imposed on them. Whilst the ICO takes its role very seriously it also prides itself on being a fair and proportionate regulator.