One of the biggest changes occasioned by the introduction of the GDPR was the power to measure fines against global turnover. This ability – at the discretion of the ICO (the UK’s supervisory authority) – has allowed much larger fines than those previously in place.

There are two tiers of administrative fines:

  • €20 million or 4% of annual global turnover for breaches of, for example, the principles of processing and data subjects’ rights
  • €10 million or 2% of annual global turnover for breaches of obligations, including maintaining written records or implementing technical measures

For the UK at least, fines on this scale were initially few and far between. The ICO  repeatedly stated that the fines were intended as a last resort, with warnings as a preliminary measure – but there has been a decided increase in both fines and breaches since the beginning of 2020.

According to research from DLA Piper, between January 2020 and January 2021:

  • GDPR fines rose by nearly 40%
  • Penalties under the GDPR totalled €158.5 million ($191.5 million)
  • Data protection authorities recorded 121,165 data breach notifications (19% more than the previous 12-month period)

The pandemic may of course have played its part; or did it just take this long for systems and investigations to operate at full speed?

In 2021, the top 10 GDPR fines ranged from €440k, all the way up to €10.4m. The UK had the fourth-highest total for GDPR fines, behind Italy, Germany and France – but where does the money go?

According to BBC News, “In the UK, all penalties handed out by the ICO are paid into a central government fund which belongs to the Treasury.

The Consolidated Fund is the government’s general bank account at the Bank of England…This means that just like tax revenue, GDPR fines are used to fund public services.”

It is however likely that in a post-Covid world, GDPR will face some challenges: with remote working implemented at speed, security may not have always been front of mind.

Consequences of a data breach

Aside from the hefty fines, there are other serious consequences to data breaches that are often overlooked:

  • Damage to brand or reputation  If your brand or reputation has any value then you will need to consider how a personal data breach will impact your relationship with existing or prospective customers.
  • Commercial growth  Many bids and tenders contain a question regarding reportable breaches suffered during recent years. Answering ‘Yes’ to these questions usually marks the end of your bid or tender submission, so consider the impact to your business growth if you were to suffer a breach.
  • Personal liability  Over recent months, individuals have been personally prosecuted for misuse of personal data so make sure you are aware of what you are (and aren’t) allowed to do with the personal data you hold.
  • Lost revenue  If your site crashes due to a security breach you will lose revenue while it is down, and while the breach is remedied. The longer the site is down the more sale you could lose (as well as reputation above).
  • Intellectual Property  If a hacker was to obtain your new product ideas or plans it could damage your business growth, if someone else goes to market first. Protect your IP.

The positive impact of GDPR

Ultimately, the Regulations are about protecting our data and making it safer. The obligation is on companies to be clear, simple and transparent in their use of data. Data is a valuable currency, and with so much available this must be a good thing.

  1. For businesses – GDPR may have created some challenges and pain points as processes were reviewed and renewed, but it has also created opportunity.
  2. For customers – GDPR has given brands a chance to grow loyalty and increase retention. Businesses who demonstrate clear and transparent data policies build deeper trust, by showing that they understand customer concerns and value data privacy.
  3. For prospects – GDPR forced companies to focus on quality over quantity. It serves to encourage relationship building with people that want to hear from you. Instead of talking to those not in the market to buy, you should be dealing with prospects that are more engaged.

If you are feeling frustrated by GDPR read our blog on how to make sure you’re compliant. You can also check out our Resources page to find free downloads and guides. By working rationally you can implement systems to ensure ongoing compliance.