Risks of Non-Compliance to GDPR
There have been plenty of articles about the risks and consequences of non-compliance, with most focusing on the maximum penalties, and a few suggesting that some firms believe that the consequences have been over-stated. Whilst we’re pleased to say we’ve not come across anyone in our sector that is not taking compliance seriously, it’s a good idea to consider the differences that the change from the Data Protection Act 1998 to the GDPR will have on sanctions.
The count-down to GDPR continues, with only 6 weeks now before the implementation date. News last week that Apple’s privacy changes will eventually be available to all its customers, including those outside of the EU and UK, emphasises the potential reach and impact of GDPR. Rather than looking to have two separate systems in place for those covered by GDPR and those who are not, Apple will raise the bar for all. It will certainly be very interesting to see if other international firms follow suit, and, over the next few years, the standards set by GDPR end up becoming the norm even for those outside of the EU and UK.
Apple’s stated reasoning for the across the board changes – that privacy is a fundamental human right – is at the crux of much of the current debate about personal data security; the recent news that individuals’ data may have been used improperly emphasises just how important both the subject is to individuals and firms alike.
Whilst ensuring privacy for customers is likely to have been on most financial services firms’ radars for some time, it is probable that the level of provision required to establish effective GDPR resources for 25 May has significantly increased on previous years’ provision for Data Protection. And with good reason. GDPR is a complex regulation, requiring a suite of policies, procedures and processes, each component of which should be designed to meet the requirements of the GDPR for the individual organisation. To get to this stage, a firm will need to be sure, at the very least, of its status (controller or processor), the legal basis for which it collects and uses data, its data security provision, and whether it should have, or needs to have, a Data Protection Officer in place. To ensure compliance with the finer points of the Regulation, its always recommended that firms consult with a compliance expert.
Risks of Non-Compliance
Ultimately, the headline grabber is the increase in the maximum fine amount – either €20 million or up to 4% of the company’s annual global turnover for the preceding year, whichever is greater. The maximum fine under the DPA 1998 was £500,000. In short, the risk of non-compliance is far greater under GDPR.
For larger firms, the impact is put into perspective when it is considered that 4% of their annual revenue can easily reach beyond that €20 million threshold. For smaller firms with much lower revenue, it’s a good idea to reflect on the fact that the 4% option is unlikely to apply; how many small to medium firms could absorb a €20 million fine? It’s worth remembering that currently, it is not possible to insure against ICO fines and it is likely to remain unclear whether this will also apply to the GDPR for some time.
The GDPR makes clear that if a company is found to have acted in a non-compliant manner, sanctions should be proportionate. The European Commission and the Information Commissioner’s Office have provided some helpful information here, suggesting that any appropriate fines will be levied based on a range of factors, including the category of breach or non-compliance, categories of personal data affected, whether negligence was involved, the level of harm to data subjects, and cooperation with the authorities. In addition, a range of non-monetary sanctions are available to the supervisory authority – in the UK’s case, the ICO – including warnings, reprimands, orders to comply, orders to communicate breaches to the data subject/s, and temporary or longer-term bans on processing.
Whilst it is unlikely that firms that are not in compliance with every element of the GDPR come the 25th May will be hit with the maximum fine, what is absolutely clear is that any firm that has not sought to begin the journey to compliance risks being viewed as negligent. In summary, you can’t afford to ignore GDPR.
At first sight, it can appear overwhelming, so we have designed our detailed All Stars Education Series to help firms of all sizes understand what they need to do to comply. Sign up to our GDPR Email Education Series for only £75.
If you need any further assistance or consultancy for your GDPR implementation, simply contact us for further information. A range of our services is set out below:
Template Policy - £400
DPIA - £400
Privacy by Design - £400
8 rights processes - £50 each
Review of your position - £400