GDPR - The Fear Factor?

The first couple of blogs we have done on GDPR have been focused on some of the technical aspects of the regime. This has lead to some subject matter that might not have been particularly interesting and may have seemed a bit technical. This blog will be much shorter and to the point.  

Why? Rather than looking at the substance of GDPR, in this article, we are focusing on the headline financial implications of a failure to comply with the regulations. Whilst data protection legislation is geared towards the protection of personal data, in order to ensure that these aims are achieved, there has always been a need for a sanctions regime to make sure that the rules are taken seriously.  

GDPR is set to increase the financial level of penalties that can be imposed from the levels under the Data Protection Act (DPA) and, unfortunately, this has been drawing a few headlines!

Headline Figures

Under the DPA, the maximum level of fines that can be levied by the Information Commissioner’s Office (ICO) is £500,000. Not insignificant for most businesses if a top level fines was handed out.

Under GDPR, the ICO is empowered to impose fines on data controllers and data processors of up to (the higher of) €20 million or 4% of global, group turnover for the most serious breaches. This level of fine is relevant to breaches of GDPR such as: 

  • the basic principles of data processing, including the conditions relating to the obtaining of consent;
  • the rights of data subjects; and
  • transfer of personal data internationally.

Lower scale breaches can carry fines of up to (again the higher of) €10 million or 2% of the global, group turnover – still potentially significant.



One of the potential reasons for the imposition of a new sanctions regime is the ability to dole out meaningful punishments on the huge multinational businesses that handle personal data relating to EU subjects.  As a result of this, the preceding information will appear particularly threatening to small businesses. It is worth remembering that the regulations are not, however, designed to force companies out of business.

In calculating the level of fine to impose, the ICO will take into account factors such as:

  • the nature of the infringement alongwith its seriousness and duration as well as the nature of the personal data involved;
  • whether or not the infringement was deliberate or negligent and what benefit may have been gained from it;
  • what steps the organisation has taken to minimise damage suffered by individuals and to implement appropriate organisational measures to prevent further occurrences;
  • previous compliance track record of the organisation being investigated or their appointed data processor;
  • levels of co-operation with the ICO in investigating and remedying the infringement;
  • how the infringement was discovered by the ICO, e.g. was it self reported?


Please keep an eye out for our future updates. In these, we aim to help you identify areas of importance to businesses, so that you can ensure that your risks are covered off. You should also remember that the Information Commissioner’s website ( has many useful articles, guidance and checklists to help you steer clear of trouble.

This update is for general information only, is non-exhaustive and is not legal advice. If you need assistance, please get in touch.