In this month’s edition Alan Meneghetti and Michael Thompsett of Locke Lord LLP, a member of the JLT Cyber Risk Consortium, explore the General Data Protection Regulation (GDPR) further.
How will fines be administered under the GDPR?
Under the GDPR, which comes into effect on May 25, 2018 in all member states (including the UK), significantly higher fines can be imposed for a data breach compared to the UK’s Information Commissioner’s Office (ICO) current maximum penalty of £500,000.
The GDPR establishes a tiered approach to penalties depending on the nature of the infringement and can reach the higher of 4% of annual worldwide turnover and EUR 20 million. Article 83 of the GDPR lists the factors to be considered. There is some overlap with Directive 95/46 and the Data Protection Act (DPA) 1998, including the application of aggravating and mitigating factors, as well as some additional statutory criteria including action taken by the data controller to mitigate the damage suffered by data subjects and the degree of cooperation with the supervisory authority to remedy the infringement.
At least as of now, it seems the GDPR will likely prompt the ICO to be prepared to issue higher fines for the most serious of breaches, although it is extremely unlikely to issue fines anywhere close to the maximum on a regular basis. Further guidance on the extent to which the current fine thresholds under the DPA 1998 will be amended is also expected.
Also, we will likely see the application of more wide-ranging criteria in determining a fine, as well as revised public guidance on the internal procedures used to calculate the fines. Member States will be publishing codes of conduct for data processors and controllers to follow under the GDPR (Article 40). The extent to which these codes of conduct are adhered to will likely bear significantly on the amount of the fine in the event of a breach.
If a company reports a breach incident after the GDPR comes into force but the incident took place before the enactment date, which fine threshold are they subjected to?
This will be the GDPR, because the previous Data Protection Directive shall be fully repealed from May 25 2018 (the day in which the GDPR comes into force) in accordance with Article 94 of the GDPR. In any event, data processors and controllers should report a breach as soon as they learn of it – i.e. before it has been fully investigated – any delay in reporting a breach is likely to increase the amount of any applicable fine.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org