Now that the set period for Brexit transition has come to an end, there are two different versions of the General Data Protection Regulation (GDPR) that organisations based here in the UK may need to ensure they remain compliant with.

Firstly, the UK GDPR, which working alongside the 2018 Data Protection Act (DPA 2018) will apply to any processing of personal data belonging to residents of the United Kingdom. Secondly, the EU GDPR will continue to apply where UK firms are processing personal data belonging to residents of countries within the European Union.

Established fines for GDPR infringements

Both the UK GDPR as well as the DPA 2018 state that firms committing infringements can face a maximum fine now of £17.5m or 4% of their global annual turnover, depending on which is the greater amount.

As for the EU GDPR, it has set a maximum fine in place for companies of €20m (approximately £18m) or 4% of their global annual turnover for infringements, again depending on whichever figure is greater.

Do all GDPR infringements result in data protection fines?

While fines can be issued if supervisory authorities believe they are warranted, this may not happen in all cases. Here in the UK, the dedicated data regulator, the Information Commissioner’s Office (ICO), has the power to select from a range of different actions. These include:

• Issuing reprimands and warnings
• Ordering the deletion, correction, or restriction of data
• Suspending transfer of data to third countries
• Imposing permanent or temporary bans on data processing

Who receives the money collected from GDPR fines here in the United Kingdom?

All fines collected from companies by the ICO are sent to Her Majesty’s Treasury’s Consolidated Fund. Monies are then spent appropriately on justice, policing, education, social and health care, and other areas.

The payments collected from annual data protection fees dedicated data controllers are obligated to pay, however, are employed to fund the continuing work of the ICO.

How do regulators calculate GDPR fines?

Fines for GDPR are discretionary, not mandatory. Each penalty must be imposed using a case-by-case approach and must be proportionate, dissuasive and effective to meet requirements. All fines will be impacted by a number of factors, including:

• The kind of infringement, its severity and duration
• Whether the infringement was accidental or intentional
• The actions taken to reduce harm to data subjects involved
• Security measures adopted
• How many previous GDPR infringements a firm has had
• The kind of personal data involved
• Whether the firm notified the ICO within an appropriate timeframe

Keeping compliant with Galaxkey

Here at Galaxkey, we have developed a secure system that ensures companies can operate safely in line with data regulators around the world. There can be no doubt that data breaches can be costly to firms, but taking steps to secure the information you handle is always the best policy.

Test drive our system today with a free trial and enjoy powerful end-to-end encryption that safeguards the data you store and send.