It is certain that the GDPR brings with it greater fines. But how great? The analysts at the NCC Group have found the answer.
As a template, they used last year’s history of fines by the UK’s regulator, the ICO. It issued total fines totalling £800,500. Under the current regulations (the Data Protection Act 1998), the ICO can issue fines up to £500,000 per violation.
The GDPR allows the supervisory authorities to issue much larger fines, up to €20 million or 4 percent of the company’s annual global turnover, whichever is higher.
The largest fine was issued to TalkTalk – £400,000, for failing to secure its customers data against attacks and to notify the ICO on time. The NCC Group predicts the fine would rise to £59 million under the GDPR. By the way, TalkTalk apparently has an atrocious data security record, as they have been slapped with yet another fine in August this year. This time they were fined £100,000.
In total, NCC Group’s analysis shows that companies would have to pony up about £68 million for their transgressions if the GDPR had been in place. The analysis also reports a hypothetical 35-fold increase in projected fines for 2015, from £1 million to £35 million.
However, these calculations are bound to be imprecise. Considering the reluctance of the ICO to hand out maximum fines, it is unlikely the companies would get fined with as much as 4 percent of their global turnover that way. The projections represent worst-case scenarios where the regulator had chosen to issue the maximum fine.
The consistency mechanism could kick in though, and require the supervisory authorities to issue larger fines even if they would otherwise opt against it. But we expect that most first-time offenders will get off with a warning instead of a huge bill. Supervisory authorities also have an advisory function under the GDPR, and it has been repeatedly stressed that DPAs should not serve solely as ‘policemen’.
And even if the fines do not end up as huge as the NCC predicted, one is certain: the fines will be higher and that is simply indisputable. Businesses that just cannot seem to cooperate well – such as TalkTalk – will certainly receive eye-watering fines from the ICO.
Even though the UK is leaving the European Union, the GDPR will apply there from 25 May 2018 as well. The ICO has already stated they plan to propose a similar set of regulations that will replace the GDPR, which is unlikely to be any more lenient.