Apart from changes in regard to data processing and protection, the General Data Protection Regulation (GDPR) also brought with it, an increased level of penalties in case of non-compliance with the rules and conditions of the regulation. Organizations and companies are required to comply with the regulations set forth, even if they do not have a physical presence in Europe. The changes are going to affect entities across the world even if they are not present in the union.
The GDPR came into effect from May 2018. However, organizations are given a grace period of two years to setup their data processing systems according to the rules laid out by the regulation.
Breaches of all kinds in an organization are liable to be fined. The fines are discretionary and differ on a case to case basis. A breach of security results in a lower level of fine whereas an infringement to an individual’s right to privacy invites greater fines.
The Information Commissioner's Office (ICO) has the power to issue warnings and impose fines. This may even include a temporary or permanent ban on data processing. Like mentioned, fines differ on a case to case basis and can be levied at the discretion of the ICO.
Under GDPR, organizations can be fined 4% of their annual global turnover or 20 million Euros whichever is higher. Not following the regulations set forth in the GDPR while processing customer data can result in these penalties.
Organizations can be fined on the nature, the gravity and the duration of the infringement. Before penalizing an organization, the ICO carefully considers the type of personal data involved and the remedies taken by the controller to reduce the risk.
The General Data Protection Regulation has brought serious changes in terms of processing and also in the way it is done. These fines can be considered as a tool to keep the process ethical and in check.