Fine Times: Higher Fines For Data Protection Breaches

We still can’t tell you precisely when the new data protection laws will come into force, but there are some updates which we think you’ll be interested in:


Agreement has been reached that the new Regulations should come into force in 2015 (provided everybody can reach agreement on them, which hasn’t happened so far);


The previous draft included fines of upto 2% of annual global turnover – the latest proposals increase the fines to an amount upto 5% of annual global turnover or 100m Euro, whichever is the higher (the regulator does have the opportunity to issue a written warning for ‘first-time offenders’ (provided the failure to comply wasn’t intentional) or to require the use of periodic audits as an alternative to imposing a fine);

European Data Protection Seals?

The Regulation places a great deal of faith in the concept of ‘seals’ to provide assurance that the organisation’s data protection activities are compliant – the proposal is that organisations can pay the regulator to inspect their processing of personal data to assess and certify that their processing is compliant (bearing in mind the limited resources of the ICO, the proposal confirms that the ICO may outsource this function to third party auditors).  There is also the possibility of compliance with a technical standard (e.g. an ISO standard) providing the same level of assurance.  What’s the benefit?  Organisations with a ‘seal’ are largely immune from fines (unless they fail to comply with the Regulation intentionally or negligently) and transfers of personal data between organisations with seals is permitted regardless of whether it is being transferred outside the EEA;

Risk Assessments?

An obligation to undertake privacy impact assessments for virtually all processing of personal data i.e. a risk analysis to assess whether the processing of personal data will create any risks to be reviewed and updated periodically/as processing operations change (these assessments are viewed as the ‘essential core’ of data protection compliance and we would see these as ‘best practice’ in any event);


The much talked about right to be forgotten remains but it has been amended to manage expectations (it is now referred to as the ‘right to erasure’, it no longer refers to the right ‘to be forgotten’ and the obligation to ensure that third parties erase copies of data has been diluted).  The portability right has also been amended (i.e. the ability to request a copy of your data in a format which can be transferred to another service provider) and organisations are encouraged to develop interoperable formats and protocols to enable data subjects to access and transfer copies of their personal data from one organisation to another (e.g. from one social media site to another);


As we’ve previously blogged, there is an increasing emphasis on ‘purpose-limitation’ and this is reinforced with additional provisions emphasising that all consent is purpose-limited (i.e. once the purpose has ended, the consent to process the data is no longer valid);

A Reminder? 

By way of very quick summary, the Regulations:

  • Provide the ICO with regulatory audit rights.
  • Require organisations to notify the ICO and affected data subjects of security breaches.
  • Impose direct obligations on data processors.
  • Impose an overriding obligation of ‘privacy by design’ to ensure that our rights as individuals are factored-in to the technology which utilises the data & the use of privacy settings to enable individuals to easily control access to and sharing of their information.
  • Require organisations to engage a Data Protection Officer with appropriate experience and expertise (the requirements for this have also changed under the new draft with the test based on number of data subjects whose information is processed or the type of data processed (e.g. location data/sensitive personal data), rather than the number of employees which the organisation has).
  • Impose additional requirements on organisations to keep inventories of the personal data which they hold, the periods for which it is held, the purposes for which it is held etc.
  • Have extra-jurisdictional effect and apply to any organisation which operates in the EU (if it offers goods/services to EU citizens or monitors their behaviour).
  • Remove the current process for registration with the ICO.

The new proposals have been accepted by a committee of MEPs.  Whilst the Regulations remain subject to change, the Regulations are crystallising and we get the impression that we are finally moving towards an agreed position.  There is still a huge amount of debate and further refinement, but as we’ve previously blogged, organisations should brace themselves for a significant change in the risk-profile associated with data protection breaches.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.