18 Nov Updates to the GDPR Fines – October 2017
The ICO released further guidance and updates on the administration of GDPR fines on the 6th October 2017.
The update explains 4 different principles in regards to GDPR fines:
1. Infringement of the Regulation should lead to the imposition of “equivalent
The key issue is consistency and the ICO will be communicating across borders with GDPR member states to ensure that the fines issued are consistent with the infringements
This is applicable to corrective measures as well as fines.
2. Like all corrective measures chosen by the supervisory authorities,
administrative fines should be “effective, proportionate and dissuasive”.
The corrective measures will respond to the gravity and consequences of each breach. The fines will be in line with the outcomes that need to be achieved, whether a financial penalty, or the need for re-compliance with the GDPR.
3. The competent supervisory authority will make an assessment “in each
Fines and penalties can be imposed for a wide variety of infringements or breaches of the GDPR. Each case will be assessed individually, and an assessment of each breach will be the starting point. Fines will not be a “Last resort” but will be used in a balanced approach to ensure compliance.
4. A harmonized approach to administrative fines in the field of data protection requires active participation and information exchange among Supervisory Authorities.
Fines and corrective direction will be subject to appeals in national courts. Supervisory authorities will share information and regularly attend workshops to ensure the issues of time, resources, organisation and procedures in carrying out and administering these fines retain consistency across the board.
The assessment criteria ascertaining the gravity of the breach will include:
(a) the nature, gravity and duration of the infringement.
(b) the intentional or negligent character of the infringement.
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects.
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.
(e) any relevant previous infringements by the controller or processor.
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement.
(g) the categories of the personal data affected by the infringement.
(h) the manner in which the infringement became known to the supervisory authority, in particular, whether, and if so to what extent, the controller or processor notified the infringement.
(i) where measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures.
(j) adherence to approved codes of conduct.
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
To summarise, the regulators of the GDPR will endeavour to ensure consistency in the application of administering fines and corrective direction by effective communication, assessing within a framework, and effectively ensuring the fine is proportionate to the breach. This will evolves as the GDPR is implemented.
Check out the ICO website, and sign up for the newsletter to make sure you are up to date with any developments.
Alternatively, we offer your business either an in-house interactive GDP seminar or several local seminars in varying Northamptonshire venues, where you will conclude with a complete action plan for your business to help your business become GDPR compliant Check out our dates Here
For more information about the GDPR check out our blog!