The Article 29 Working Party (all the EU regulators) have published guidance to help statutory bodies (regulators such as the ICO) in their deliberations over what action to take when a breach of the GDPR data protection rules occurs by a Data Controller or Data Processor.
Of course, it’s well known that under the GDPR fines for serious breaches can be as much as 4% of global turnover or €20m, which ever is higher – a fact that appears to be being used a lot for scaremongering.
But on the face of it, and the ICO have already made this point, issuing fines isn’t what the GDPR is all about, it’s really about empowering those who process personal data to do so responsibly.
So proportionality is key when it comes to determining outcomes of data protection infringements. You can see that from how the ICO deals with breaches under the Data Protection Act. Under the DPA the ICO can fine up to £500k, but they only fined Talk Talk for their breach back in 2015 £400k and didn’t fine Royal Free NHS Trust for their sharing of data with Google.
However, there’s a challenge ahead. The GDPR by definition is an EU Regulation, which as we know means it applies across all EU member states (including the UK, despite of Brexit) from May next year. Whilst there are some derogations in some areas, it’s intention is to provide a level playing-field across the EU, so no matter where a Data Subject is in Europe they know they can expect the same level of protection regardless of which EU country their data is processed.
The same level playing field also applies to administrative fines and so the recent guidance from A29WP attempts to address expectations in that regard. The intention is that all regulators will apply the same principles when they investigate an issue and also apply similar fines and remedies. To be able to achieve this, the guidance for the regulators suggests the regulators will co-operate with each other via “case-handling workshops or other events” with the European Data Protection Board (EPDB) having a role (once it’s established) in mediating differences in approach across Europe. But as the guidance concludes, we’ll have to wait and see how things progress but “applying administrative fines consistently across the European Union is an evolving art“.
What is clear, the GDPR does allow for proportionate, and case-by-case investigation and decision making by the regulatory bodies, which is likely to mean the unlikelihood that we’ll see the top-level fine issued.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR