Penalties
When the EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, organisations in breach of the legislation will find the fines they face increasing dramatically.
From a maximum of £500,000 that the ICO could levy, penalties will then reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
So, for many businesses, non-compliance could mean insolvency or even closure.
Under the GDPR, Supervisory Authorities will be given a number of new powers including the power to issue warnings of non-compliance, carry out audits, require specific corrective action within a specified time frame, order erasure of data and the complete suspension of data transfers to a third country.
And these powers can be applied to controllers and processors alike.
The investigative powers of the Supervisory Authority include the right:
- to order you to provide any information it requires for the performance of its tasks
to carry out data protection audits
to review certifications
to notify you of any alleged infringement of the GDPR
to obtain access to all personal data and all information necessary
to obtain access to any premises of controller and processor including data processing equipment
Supervisory Authority corrective powers include the right to:
- to issue warnings that intended processing is likely to result in infringement of the GDPR
to issue reprimands where processing operations have infringed provisions of the GDPR
to order you to bring processing operations into compliance with the GDPR
to order you to communicate a personal data breach to the data subject
to impose a temporary or definitive limitation including a ban on processing
to order the rectification, restriction or erasure of data or order a certification body not to issue a certificate
to impose administrative fines
to order the suspension of data flows to a recipient in a third country or to an international organisation.
Crucially, SAs are also empowered to issue substantial administrative fines: which you see in the accompanying documentation:
Requirements, which can attract a fine of up to 4% of total global annual turnover or €20m (whichever is the higher), can also be seen in the PDF:
Apologies for the complexity of language and legalese involved, but that’s a simplified version.
And months is not long to bring an organisation – especially a larger one – to a state of compliance with the new law.
Which is why it’s essential to prepare now.
GDPR Academy Detail Notes
About GDPR Academy
GDPR Academy is dedicated to GDPR and Cyber Security. These go hand-in-hand so you are up-to-date, day-by-day on the latest developments, white papers, laws and timings et al.
Become a Member
GDPR Academy is the only place you’ll find a comprehensive body of knowledge, resources and experts to help you navigate the complex landscape of tomorrow’s GDPR and Cyber Security issues.