What Are the Fines for Breaching GDPR Laws?

Posted on Friday, May 31, 2019

You may have heard of the EU’s General Data Protection Regulation (GDPR) by now, but with all of its complexity, are you familiar with the details that could land you in hot water and costly fines for non-compliance? Here’s a chance to brush up on those specifics so you can be confident that you’re doing everything in your power to protect your organisation. And if you need assistance anything GDPR-related, we at Mustard IT are here to help.


GDPR Background


The current version of the GDPR was put into action on 25th May 2018. Although there was a previous regulation, the Data Protection Directive of 1995 that addressed EU citizens’ rights to privacy, that was before the digital world was blown away by social media and the internet. Nonetheless, an update was long overdue.

The current GDPR was created to address privacy issues of EU citizens in digital and online environments. There had been countless reports of unethical behaviour by organisations that profited by trading personal data prior to the regulation being implemented. As a result of the GDPR, trading and selling names and email addresses are illegal, and there are hefty fines for doing so.

When buzz of the GDPR first started, it received a lot of attention, most likely because of the consequences to organisations that failed to comply with it. To illustrate the severity of non-compliance, consider its maximum fine of €20 million, or 4 per cent of global annual turnover, whichever is greater. There is also a less severe civil monetary penalty, of 2 per cent of global annual turnover or €10 million, whichever is greater.


GDPR Put to Its First Test


In order to emphasise the impact of the GDPR, and perhaps to scare organisations into realising the severity of non-compliance, Austrian data privacy activist Max Shrems brought the first legal test to GDPR regulators. If his findings on fraudulent data collection are proven, Google and Facebook could each be liable to pay a fine of over €3 billion. As a result of the two internet giants being put in the spotlight, organisations of all sizes are doing everything in their power to make sure their data security is compliant with the GDPR.


Another case shedding some light on the impact of the GDPR occurred within a matter of days after it was signed into effect. AggregateIQ , a Canadian data aggregator company, was given 30 days to comply with the GDPR or pay the maximum fine. The reason given was that the company held data in breach of two of the new code’s articles.

What Exactly Is the GDPR?


The Information Commissioner’s Office (ICO) enforces the GDPR in the UK. In short, organisations that use, collect or store personal data are required to demonstrate that they’re using it lawfully and in ways that align with the six principles. There are six data-protection principles that serve as the basis of the GDPR. Organisations must ensure that they do the following with their personal data:

  1. Process it fairly, lawfully and transparently.
  2. Collect and process it for specific reasons only, and store it for specific amounts of time.
  3. Collect only the data needed for its intended purpose.
  4. Take reasonable steps to ensure the data is accurate.
  5. Keep it in a form that allows the identification of individuals only as long as it is absolutely necessary.
  6. Protect it from unlawful access, damage or accidental loss, and keep it in a secure location.

Organisations need to not only abide by those six principles; they also need to be readily available to demonstrate or prove that they are doing everything in their power to comply.

Rights of Consumers Under the GDPR

In order to fully understand their obligations under the GDPR, organisations should be familiar with the rights that consumers have regarding data privacy. Here is a look at the eight rights that consumers as individuals have under the GDPR:

  1. The right to be informed: Businesses must inform individuals when they collect their data, which data they collect, who they will share it with and how long they will keep it.
  2. The right of access: Individuals have a right to contact an organisation whenever they want and demand to be informed what of their data is being held, for how long it has been in their possession and to whom it has been shared with.
  3. The right to rectification: Individuals are allowed to verify whether the information an organisation holds about them is accurate, and correct any information that is inaccurate.
  4. The right to erasure: When applicable, an individual has the right to have their data deleted from an organisation’s records, in part or in full.
  5. The right to restrict processing: At any time, an individual is permitted to contact an organisation and restrict its ability to process their data. However, this is not applicable in all circumstances. An individual may also need to call upon the ‘right to inform’ in order to decide which data they want restricted.
  6. The right to data portability: Organisations must ensure that individuals have the ability to access and extract their data, such as being able to extract social media activity. This is primarily in place to avoid monopolisation of data due to the lack of portability.
  7. The right to object: If an individual finds that an organisation is using their data in a way they object to, he or she can ask a business to stop using it that way. For example, the individual may object to being on a mailing list but will allow for other means of communication.
  8. Rights in relation to automated decision-making and profiling: Artificial intelligence and machine learning have given a rise to profiling of individuals, based on the data an organisation has accumulated about them. This has created new privacy challenges. As a result, individuals have a right to object to such uses of their data and challenge any automated decisions that have been inferenced about them. They also need to give explicit permission to come to such conclusions.


How the GDPR Affects Small UK Businesses


Before the GDPR was implemented, UK organisations had to comply with the Data Protection Act of 1988, which was even more outdated than the Data Protection Directive that the GDPR replaced. When Brexit is finalised, mirrored UK regulations are intended to replace the GDPR. The result of Brexit is unlikely to impact how small businesses in the UK treat individual rights to privacy and data collection.

It is important to note that businesses with fewer than 250 employees do not have to comply with the GDPR in the same way as larger companies. However, the right to erasure applies to businesses of all sizes. There are also some situations that could make them accountable under the regulations:

  • If their data processing is likely to put the data privacy rights of an individual at risk, is routine or includes special categories of data mentioned under Regulation 9, they must comply with all GDPR regulations.
  • If they fail to report any breach of security to the ICO within 24 hours of its occurrence, or not more than 72 hours, they can be liable for the fine of 2 per cent of global annual turnover, no matter the size of the business.
  • If a business regularly uses an individuals’ data in the same way, it is considered ‘routine’, and it must comply with GDPR rulings regarding protection and privacy.


Even if not required to comply with the GDPR, acting as if it does have to comply is a recommended measure that all small businesses should consider. Doing so helps ensure they are compliant in the event that their employee threshold passes the 250 mark. It also puts them in a good place in the event that regulations are tightened. In addition, it makes good business sense as individual clients may not be familiar with the exceptions afforded to smaller companies, and they may expect compliance regardless.

Keep in mind that the regulations apply to data collected prior to the date the GDPR was signed effect, not just data acquired after its effective date. In addition, the new regulations are much more specific about what is considered ‘personal data’ than the outdated regulations. Now, personal data can be considered:

  • Personal home and email addresses
  • Names and phone numbers of personal contacts
  • Personal IP addresses
  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Sexuality
  • Health information of mental or physical nature
  • Trade union memberships
  • Criminal offences

4 Tips to Help Small UK Businesses Avoid the GDPR Maximum Fine


Not many organisations were in compliance with the GDPR before it was implemented in May 2018. Data protection and privacy rules are more strict than ever, so it is vital to ensure your business meets its requirements. If you’re not 100 per cent sure, start with the following four tips:

  1. Designate a GDPR compliance specialist.Although everyone in your organisation should grow familiar with its regulations, there should be someone in HR and/or in IT who is responsible for ensuring your workplace is GDPR-compliant. How many people you need will depend on the size of your organisations and the type of business you do, but the more people that are familiar, the better. Keep in mind that you may be required to have a Data Protection Officer as well, depending on the specific data your business works with.
  2. Revamp your cyber-security efforts.As mentioned, you must make demonstrable efforts to secure your clients’ data, which is an invaluable asset to cyber-criminals and hackers. As such, be sure you have a reliable cyber-security team and software, monitoring your network constantly. If a breach is detected, your cyber protocols should be able to alert you instantly if it detects a breach. Remember that you will be on a strict timeline for notification of the breach should one occur, so the sooner the detected, the better.
  3. Do an audit of your data.Know where all of your personal data is stored, and inspect it, whether on the cloud, servers, apps, mobile devices, software or emails. If you find that there is misplaced data, notify an IT specialist at once for help with data discovery. Remember that you are required to have a legal reason for holding and processing the data you keep and need to know where that data is so you can comply with an individual’s right to be informed, erase and access data.
  4. Ensure your privacy notices and contracts are GDPR-compliant.As organisations made efforts to adhere to the new conditions of the GDPR, they flooded individuals’ inboxes with privacy notices and terms of service. But those notices and contracts themselves need to be compliant as well. Be sure to check all internal and external contracts and notifications as a result.



If you’ve been avoiding GDPR compliance, hoping that Brexit will negate it, think again. The GDPR isn’t going anywhere, and Brexit won’t affect the way UK-based companies now have to store and process the data of EU citizens. Huge international organisations are already being made examples of, as they’ve failed to maintain proper data security and handle data. Smaller companies will be under the same scrutiny and are actually even more vulnerable, as those are the companies that cyber-criminals target. It is prudent to do everything in your power to comply with regulations now to avoid significant fines and loss of reputation.

About Mustard IT, GDPR compliance partner

Mustard IT provide a trusted team who are experienced and able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you adapt to the changing rules around GDPR.