The GDPR is a set of strict rules that must be adhered to when processing the personal data of EU citizens. Failure to comply with GDPR can result in fines that can reach millions, so it’s no surprise that many businesses are concerned.
However, the GDPR is written with organisations in mind. So can an individual get a GDPR fine? If you’re reading this article, you probably already know something about the General Data Protection Regulation (GDPR) and how it affects data privacy. Read on to find out how UK-GDPR and EU-GDPR affects organisations and potentially individuals within them.
What is a GDPR fine?
A GDPR fine is a monetary penalty imposed by a supervisory authority like the ICO (Information Commissioner’s Office) on organisations that fail to comply with data protection rules. Since the GDPR is a regulation and not a directive, it’s enforced at the national level within each European country. This means that they can impose their own fine amounts on organisations, ranging anywhere from a few thousand to millions. The GDPR fine amount is determined by a number of factors including the organisation’s size, the type and number of violations, and the duration of the non-compliance.
How do you get a GDPR fine?
An organisation can get a GDPR fine if they fail to comply with its data protection rules. The GDPR covers all organisations that either process personal data or offer goods or services to EU residents, regardless of the organisation’s size. This means that both small and large companies are required to comply with these regulations and are subject to the same fine amounts.
Can an individual get a GDPR fine?
In very specific circumstances. GDPR fines are usually imposed on organisations. If an organisation is made up of one person, then you can consider that an individual fine. But otherwise, the fine goes to the organisation as a whole.
There are other specific circumstances, however, when an individual within a company can be fined:
- Obstructing investigation into non-compliance of GDPR.
- Submitting false information to the ICO or DPA.
- The destruction or falsification of evidence or information.
- Obstructing official warrants made as a result of GDPR or other privacy laws.
- Accessing personal data without permission from the data controller.
Essentially, it’s rare for individuals to face a fine for failing to comply with GDPR, unless they are running a business or organisation as a sole trader. In this sort of instance, the business might consist solely of one individual and they are the only person that a fine can be applied to.
Outside of this, examples of data breaches applied to individuals are few and far between. One such example involved an employee who switched to another company but took a lot of client details with them to use in their new position. They were fined less than a thousand pounds in this instance.
Even organisations aren’t always guaranteed to face a fine in the event of an alleged data breach. From 2016 to 2017, ICO looked at around 17,300 cases of data breaches. Only 16 resulted in a fine. There are a lot of factors to consider when looking at data breaches and the possibility of a fine, but a surefire way for a company to come under a lot of fire from data privacy breaches is for a lot of them to happen at one time.
How much is a GDPR fine?
As explained above, the GDPR fine amount is determined by a number of factors in addition to the organisation’s size. This makes it difficult to accurately predict the amount for any fine. However, the ICO has published guidance on GDPR fines and suggests that the punishment for a company that fails to comply with the GDPR could range from a few thousand to hundreds of millions of Euros. These numbers should be taken with a grain of salt because they are just meant to highlight the broad range of possible GDPR fines.
Bottom line
The GDPR fines vary across EU countries and are determined by a number of factors including the organisation’s size, the type and number of violations, and the duration of the non-compliance. The punishment for data breaches on a company seems to get harsher as privacy laws evolve over time. As a result, an individual in a company can expect their position in the company to be damaged if they are responsible for a breach – even if they do not receive a fine personally themselves – but they will likely expect to face consequences within their organisation if the breach is significant, or even worse, is repeated.
