GDPR administrative fines and level playing field across Europe

GDPR level playing field

Share This Post

The Article 29 Working Party (all the EU regulators) have published guidance to help statutory bodies (regulators such as the ICO) in their deliberations over what action to take when a breach of the GDPR data protection rules occurs by a Data Controller or Data Processor.

Of course, it’s well known that under the GDPR fines for serious breaches can be as much as 4% of global turnover or €20m, which ever is higher – a fact that appears to be being used a lot for scaremongering.

But on the face of it, and the ICO have already made this point, issuing fines isn’t what the GDPR is all about, it’s really about empowering those who process personal data to do so responsibly.

So proportionality is key when it comes to determining outcomes of data protection infringements. You can see that from how the ICO deals with breaches under the Data Protection Act. Under the DPA the ICO can fine up to £500k, but they only fined Talk Talk for their breach back in 2015 £400k and didn’t fine Royal Free NHS Trust for their sharing of data with Google.

However, there’s a challenge ahead. The GDPR by definition is an EU Regulation, which as we know means it applies across all EU member states (including the UK, despite of Brexit) from May next year. Whilst there are some derogations in some areas, it’s intention is to provide a level playing-field across the EU, so no matter where a Data Subject is in Europe they know they can expect the same level of protection regardless of which EU country their data is processed.

The same level playing field also applies to administrative fines and so the recent guidance from A29WP attempts to address expectations in that regard. The intention is that all regulators will apply the same principles when they investigate an issue and also apply similar fines and remedies. To be able to achieve this, the guidance for the regulators suggests the regulators will co-operate with each other via “case-handling workshops or other events” with the European Data Protection Board (EPDB) having a role (once it’s established) in mediating differences in approach across Europe. But as the guidance concludes, we’ll have to wait and see how things progress but “applying administrative fines consistently across the European Union is an evolving art“.

What is clear, the GDPR does allow for proportionate, and case-by-case investigation and decision making by the regulatory bodies, which is likely to mean the unlikelihood that we’ll see the top-level fine issued.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy