Consequences of breaching the GDPR

30 November, 2017
by: Cripps Pemberton Greenish


As the General Data Protection Regulation (GDPR) will affect most businesses, it is prudent to be aware of the consequences if you find yourself in breach of its provisions.

Who polices the GDPR?

The Information Commissioner’s Office is the supervisory authority in the UK responsible for overseeing and enforcing compliance with the GDPR. The ICO website contains extremely helpful guidance on compliance with data protection law.

Duty to notify of a breach

If a personal data breach results in a likely risk to a data subject’s rights and freedoms, data controllers must notify the ICO of the breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. When there is a high risk to a data subject, prescribed information must be communicated to the subject as well.

The ICO must be told:

  • the nature of the breach;
  • the name and contact details of your Data Protection Officer (if applicable);
  • the likely consequences of the breach; and
  • measures taken or proposed to be taken to address and mitigate the breach.

Powers of the ICO

The ICO will have investigatory and corrective powers under the GDPR. Corrective powers include, amongst other things: issuing warnings; ordering compliance with a data subject’s requests to exercise their data protection rights; ordering compliance with the GDPR; and, ordering restrictions on data processing activities.

Whilst the ICO also has the power to impose fines, in instances of relatively minor breaches the exercise of the corrective powers above may be sufficient to deal with a data breach. Failure to provided notification of a breach, however, is one of the aggravating factors for imposing a fine.

Fines under the GDPR

Organisations may be fined up to the higher of €20,000,000 or 4% of total worldwide annual turnover for the worst kinds of breaches. However, there will be a number of factors to which the ICO must give “due regard” when deciding the imposition and level of a fine:

  • Nature, gravity, and duration of the breach;
  • Damage caused;
  • Intention or negligence;
  • Mitigation by the data controller;
  • Appropriateness of existing safeguards;
  • Relevant previous breaches, corrective action ordered, and compliance with any orders;
  • Degree of cooperation with the ICO;
  • How the ICO found out, including whether (and to what extent) the organisation gave notification; and
  • Any other aggravating or mitigating factors.


When breaches of the GDPR inevitably occur, properly reporting the breach to and working with the ICO will always be the best option.


For further guidance and information on this topic please visit our advertising, technology & media page.