I f one part of the GDPR has caught the headlines it's the potential fines an organisation can face. It's important to note that fines are not just levied for data breaches, they are possible for failing to conform with any part of the GDPR.
The headline figures you will probably have already seen are: Fines of up ten million euros, or 2% of global turnover in the preceding financial year, whichever is higher, or fines of up twenty million euros, or 4% of global turnover in the preceding financial year, whichever is higher, depending on exactly which articles were infringed.
The actual amount of the fine would be based on a series of factors and mitigations as laid out in Article 83.
The fines are huge, but for many small or medium sized enterprise/organisation (SMEs) they might not even be the worst thing: It's possible to be banned from processing personal data altogether as discussed in Article 58 and Article 83. For many SMEs stopping data processing would effectively shutter the business.
This being said, the ICO does not look to fine people. Elizabeth Denham talks specifically about how the ICO approaches its role:
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.
And, from the same article:
Heavy fines for serious breaches reflect just how important personal data is in a 21stcentury world.
But we intend to use those powers proportionately and judiciously.
And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.
Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.
And you can’t insure against that.
So, whilst the fines are severe, the ICO's aim is to help organisations towards meeting the requirements of the GDPR. We've found them incredibly helpful to date.