What are the penalties for non-compliance with GDPR?

businessman researching GDPR on a laptop

Brought into effect in 2018 as a way of harmonising data privacy laws across the European Union, the General Data Protection Regulation (GDPR) is designed to give individuals greater control over the information that businesses can collect about them and what businesses can do with this information.

In a previous post, we set out what this legislation is and how it may affect your organisation.

But what happens if your company fails to meet its responsibilities under GDPR? Here, we explore who within a business is responsible for ensuring compliance and what happens if the rules are ignored. We also look at how you can document GDPR compliance in order to stay on the right side of the law.

Who is responsible for ensuring GDPR compliance?

GDPR rules apply to anyone who processes or controls data, meaning that all departments and individuals within a business need to have an awareness of this legislation and how it impacts on their tasks. This applies to all areas of companies, from human resources to marketing, legal and procurement.

Certain organisations have a duty to appoint a data protection officer (DPO). This applies to public bodies, authorities and businesses whose core activities require the systematic, large scale and regular monitoring of individuals. DPOs are there to assist organisations in monitoring internal compliance and they also provide guidance on data protection obligations. In addition, they can advise on Data Protection Impact Assessments and serve as a contact point for the Information Commissioner’s Office (ICO) and data subjects. If your business needs to appoint a DPO, you could choose an existing employee or appoint someone externally. Sometimes, a number of organisations appoint a single officer between them.

Small and microbusinesses often don’t need to appoint a DPO, but this in no way means they can afford to neglect the issue of GDPR compliance. Management must take ownership of this and make sure that all personnel have access to the information, training, guidance, systems and support they need to adhere to the regulations. This also applies to home workers, where the issue of data management and security can be even more complex.

It’s important to be aware that you can appoint a DPO within your business even if you aren’t required to. If you do this, the officer will be subject to the same requirements as they would be if their appointment was mandatory.

What happens if you ignore GDPR?

Meeting your obligations under GDPR can seem like a daunting task, but simply ignoring this legislation isn’t an option. One of the most notable features of these rules is the fact that businesses which flout them can be hit with significant fines. Your organisation could be fined if you don’t process data in the correct way, you require but don’t have a DPO or you experience a data security

In the UK, fines are determined by the ICO. Lesser offences can result in fines of up to two per cent of a business’s global turnover or €10 million (£8.51 million), whichever is greater. More serious violations can lead to penalties of up to four per cent of a company’s global turnover or €20 million (£17.05 million), whichever is greater.

These fines are much more severe than the penalties that could be imposed under the previous regime, when the ICO could only fine organisations up to £500,000.

Although these figures are worst-case scenarios, and the ICO will take into account mitigating factors including a company’s attempts to comply with GDPR, it is obviously vital that you take your responsibilities under data protection laws seriously. Failure to do so could result in dire financial consequences for your business.

As well as potentially incurring a fine, you may suffer potentially serious reputational damage if you don’t meet your responsibilities under GDPR. Businesses and consumers want to know they are dealing with organisations that take data protection seriously, and so if you fail to stick to the rules, you risk putting people off your company.

How to document GDPR compliance

A big part of GDPR compliance is being able to demonstrate to the ICO that you are meeting the necessary requirements. This means keeping up-to-date records of the data processing activities you are carrying out and noting down the policies you have in place to enable you to follow the rules. Records of processing activities must be kept in writing. While both paper and electronic forms are allowed, it’s best practice to keep digital records.

Documents required under GDPR may include, but are not limited to, the following:

  • Personal data protection policy
  • Privacy notice
  • Employee privacy notice
  • Data retention policy
  • Data retention schedule
  • Data subject consent form
  • Supplier data processing agreement
  • Data protection impact analysis register
  • Data breach register
  • Data breach notification form to the supervisory authority
  • Data breach notification form to data subjects

Make sure you have the information and guidance you need

GDPR compliance can be difficult to get right. If you are unsure of your responsibilities or aren’t quite sure how best to meet them, don’t just guess. There is plenty of information and guidance available, and it pays to make sure you are fully in the know. A good place to start is the ICO website. There, you will find plenty of detailed information, including data protection guides.

From the self-employed and small start-ups, to large well-established businesses, all organisations must follow the GDPR rules.

Protection against data breaches

Cybercrime continues to rise across the globe, with the UK alone losing billions to online attacks and fraud. Despite taking precautions, it’s easy to fall victim to one of these attacks. In a recent survey we conducted into cybercrime, we found that 51% of SMEs have been the victim of a cyber security breach.

The survey also found that 53% of SMEs and self-employed workers were affected financially by cyber-attacks, with 68% describing the cost of the breach as being up to £5,000.

In many cases, a targeted cyber-attack can compromise customer’s personal information and result in it being stolen. To protect you in this situation, cyber insurance can cove the cost associated with informing your customers of the breach as well as covering your legal defence costs and any damages you are legally required to pay. Cyber insurance from Markel Direct will also provide you with access to a cyber response helpline, manned by information security experts.

While also having anti-virus software installed on your electronic devices is beneficial in helping to minimise cyber-attacks, anti-virus software won’t cover the cost of putting things right after a cyber-attack.

You can find out more about cyber insurance or get a quick quote here.


Charity insurance from £3 a month