If the prospect of a large fine for breaching the new GDPR laws is daunting, then it will be no comfort to know that it is actually possible to be fined twice for the same offence under different laws!
We are all mostly by now, well acquainted with the General Data Protection Regulation (GDPR), and specifically we would be foolish to ignore the potential fining power that the supervisory authorities have been granted under this new law; a staggering €20 million (about £17.5 million) or 4% of annual global turnover (whichever is higher).
This alone is an incentive to sort out your data protection, and security! But is this the only fine a company could incur for a security breach leading to loss of data?
We learned this week that Tesco Bank have been fined £16.4 million, by the Financial Conduct Authority (FCA), over the failings which led to their security breach in November 2016, involving 9,000 accounts which were compromised. As this happened before 25th May 2018, the incident is measured against the old data protection laws, meaning Tesco Bank could be fined a maximum of £500,000 by the Information Commissioner's Office (ICO). However, had this happened 6 months later, they could have conceivably faced a fine of up to £1.9 billion (4% of annual global turnover), on top of the FCA fine!
And it is not just the Financial Conduct Authority who hold the power to impose fines. Depending on your organisation's activities, you may fall within the scope of other supervisory authorities.
As an example, The Directive on Security of Network and Information Systems (NIS Directive) is an EU-wide directive that focuses on the availability of crucial network and information systems in order to protect the union’s critical infrastructure and thereby ensure service continuity. The NIS Directive allows member states to set their thresholds for fines. In the UK, the maximum penalty is £17 million. (Again this does not include the potential fines under the GDPR).
Organisations could be penalised under more than one law, for the same event, because the penalties might relate to different aspects of the wrongdoing and have different effects.
The UK government have said that they would only look to use maximum fines in cases where the offence was flagrant or a repeat, but it would seem that the potential fines which could be attracted are not limited to those allowed under the GDPR.