GDPR and compliance

GDPR – What are the penalties for non-compliance?

4th Aug 2017 | 7 min read

With General Data Protection Regulation (GDPR) now in play, it’s becoming increasingly evident that most businesses either don’t understand what it takes to be GDPR Compliant or aren’t aware of the repercussions if found to be non-compliant.

Download our useful GDPR checklist

Interested to know what your business needs to do before May 2018 in order to be GDPR compliant? One of our certified GDPR Consultants has put together 34 questions that you need to consider in order to be compliant.

What are the GDPR non-compliance penalties?

Cyber Security specialists, NCC Group reported that last year the Information Commissioners Office (ICO) fined UK businesses £880,500 under the Data Protection Act 1998, but if the GDPR had been enforced at that time, these fines would have equated to a whopping £69 million.

The GDPR is now in play and fines are split in to a two-tiered sanction regime. Smaller incidents will be subject to a maximum fine of 2% of the businesses turnover or €10 million – whichever is the larger amount. More severe breaches of the GDPR could be fined up to a 4% of annual €20 million.

In 2016, TalkTalk was fined £400,000 due to the data breach of 157,000 customers personal data as reported by The BBC.  The ICO reported that the fine was due to the TV, Broadband and Telecoms giant failing to implement basic cyber security measures making it too easy for the cyber criminals to access the data.

To put this in perspective, if this fine had occurred with the new GDPR set up, Talk Talk would have been fined £59 million for the Security Breach as reported by The Register. Following the breach SC Media reported that TalkTalk lost 250,000 customers and their share in the home services market fell by 4.4%. TalkTalk is now known for being the cheapest fibre broadband providers, a price based strategy thought to be implemented in order to gain back the trust of its customers.

What are the disadvantages of GDPR non-compliance?

The severity for businesses to adhere to the GDPR doesn’t just go as far as astronomical fines, but could in severe cases, result in a prison sentence for company directors. Kingsley Napley the internationally recognised law firm reports that this could be the case if the business in question has lost personal data due to weaknesses in the security set up of the business or if data has been stolen from within the business.

Should small businesses ignore the GDPR?

Many small businesses may believe that the GDPR won’t affect them, but that’s not the case, Hiscox the insurance giant reports the GDPR’s regulations state that if a business is involved with the handling and processing of personal data, they still could be subject to fines if this data is lost or stolen. This is because GDPR non-compliance results in serious legal implications for any organisation, regardless of size.

What does GDPR consider personal data?

  • Personal Home Addresses
  • Contact Names
  • Personal Contact Numbers
  • Personal IP Addresses
  • Personal Email Addresses
  • Racial or Ethnic Origin
  • Political Opinions
  • Religious Beliefs
  • Sexual Life
  • Physical or Mental Health information
  • Whether the customer is a member of a trade union
  • Any criminal offences

What must businesses do in the event of a data breach?

Businesses have the responsibility of reporting any breach to The ICO within 72 hours of the occurrence. As of the 25th of May 2018, if you fail to notify within the time frame ICO state that the 2% of annual turnover penalty may apply.

If you have any concerns about your businesses IT Security setup please get in touch and one of our certified GDPR Consultants will be happy to discuss solutions with you. Our GDPR Consultancy Brochure is also available as a download. 

What is the GDPR non-compliance penalties?

Cyber Security specialists, NCC Group reported that last year the Information Commissioners Office (ICO) fined UK businesses £880,500 under the Data Protection Act 1998, but if the GDPR had been enforced at that time, these fines would have equated to a whopping £69 million.

The GDPR is now in play and fines are split in to a two-tiered sanction regime. Smaller incidents will be subject to a maximum fine of 2% of the businesses turnover or €10 million – whichever is the larger amount. More severe breaches of the GDPR could be fined up to a 4% of annual €20 million.

In 2016, TalkTalk was fined £400,000 due to the data breach of 157,000 customers personal data as reported by The BBC.  The ICO reported that the fine was due to the TV, Broadband and Telecoms giant failing to implement basic cyber security measures making it too easy for the cyber criminals to access the data.

To put this in perspective, if this fine had occurred with the new GDPR set up, Talk Talk would have been fined £59 million for the Security Breach as reported by The Register. Following the breach SC Media reported that TalkTalk lost 250,000 customers and their share in the home services market fell by 4.4%. TalkTalk is now known for being the cheapest fibre broadband providers, a price based strategy thought to be implemented in order to gain back the trust of its customers.

What are the legal accountabilities of GDPR non-compliance?

The severity for businesses to adhere to the GDPR doesn’t just go as far as astronomical fines, but could in severe cases, result in a prison sentence for company directors. Kingsley Napley the internationally recognised law firm reports that this could be the case if the business in question has lost personal data due to weaknesses in the security set up of the business or if data has been stolen from within the business.

Should small businesses ignore the GDPR non-compliance effects?

Many small businesses may believe that the GDPR won’t affect them, but that’s not the case, Hiscox the insurance giant reports the GDPR’s regulations state that if a business is involved with the handling and processing of personal data, they still could be subject to fines if this data is lost or stolen.

What does GDPR consider personal data?

  • Personal Home Addresses
  • Contact Names
  • Personal Contact Numbers
  • Personal IP Addresses
  • Personal Email Addresses
  • Racial or Ethnic Origin
  • Political Opinions
  • Religious Beliefs
  • Sexual Life
  • Physical or Mental Health information
  • Whether the customer is a member of a trade union
  • Any criminal offences

What must businesses do in the event of a data breach?

Businesses have the responsibility of reporting any breach to The ICO within 72 hours of the occurrence. As of the 25th of May 2018, if you fail to notify within the time frame ICO state that the 2% of annual turnover penalty may apply. Be sure to follow all the necessary regulations as GDPR non-compliance is detrimental to the growth of your business.

If you have any concerns about your businesses IT Security setup please get in touch and one of our certified GDPR Consultants will be happy to discuss solutions with you. Our GDPR Consultancy Brochure is also available as a download. 

Related blogs you may find useful

We would love to hear from you

Our specialist team of consultants look forward to discussing your requirements in more detail and we have three easy ways to get in touch.

Call us: 03301913473
Complete our contact form
LiveChat now: via the pop up

We would love
to hear from you_

Our specialist team of consultants look forward to discussing your requirements in more detail and we have three easy ways to get in touch.

Call us: 03454504600
Complete our contact form
Live chat now: Via the pop up


Feefo logo