Penalties and fines under the GDPR

I f one part of the GDPR has caught the headlines it's the potential fines an organisation can face. It's important to note that fines are not just levied for data breaches, they are possible for failing to conform with any part of the GDPR.

The headline figures you will probably have already seen are: Fines of up ten million euros, or 2% of global turnover in the preceding financial year, whichever is higher, or fines of up twenty million euros, or 4% of global turnover in the preceding financial year, whichever is higher, depending on exactly which articles were infringed.

The actual amount of the fine would be based on a series of factors and mitigations as laid out in Article 83.

The fines are huge, but for many small or medium sized enterprise/organisation (SMEs) they might not even be the worst thing: It's possible to be banned from processing personal data altogether as discussed in Article 58 and Article 83. For many SMEs stopping data processing would effectively shutter the business.

This being said, the ICO does not look to fine people. Elizabeth Denham talks specifically about how the ICO approaches its role:

The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

And, from the same article:

Heavy fines for serious breaches reflect just how important personal data is in a 21stcentury world.

But we intend to use those powers proportionately and judiciously.

And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.

Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.

And you can’t insure against that.

So, whilst the fines are severe, the ICO's aim is to help organisations towards meeting the requirements of the GDPR. We've found them incredibly helpful to date.

Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).

We are not lawyers, always seek specialist GDPR advice for your organisation.

About Redox Software

At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.

Latest Redox Posts


Our Contact Details

The Colin Sanders Innovation Centre
Mewburn Road, Banbury
Oxfordshire. OX16 9PA

+44 (0)1295 817646