Why UK companies still face €20m fines over EU data protection legislation

The new legislation will come into force on 25th May 2018, which is within the minimum two-year period for Britain’s formal exit, so companies here will be formally bound by it for some time. Known as the General Data Protection Regulations (GDPR), the updated rules will harmonise data protection laws for a level playing field across the EU.

The general theme is that more stringent obligations for businesses will strengthen the protection of personal data (typically, employees, customers or potential customers). These will require a stricter approach from the company data controller, with non-compliance leading to massive fines that are a huge increase on existing penalties.

The maximum tariff for breaching the UK Data Protection Act is £500k. Depending on the severity of the offence, a GDPR violation will result in a fine of between €10-€20m, or 2–4 per cent of worldwide turnover (a potentially vast sum for international companies), whichever is larger.

Any business that processes data on any level could be liable – with larger companies that manage far greater volumes needing considerable time to gear up properly so that they can demonstrate compliance when GDPR comes into effect and avoid fines. For those in the IT sector, particularly cloud services providers, it will be absolutely crucial that they know where data they hold is transferred to – even if the UK eventually opts out of the new regulations.

This is because GDPR provides EU member states with extra-territorial reach, meaning that if UK companies deliver goods or services to customers in the EU, they will have to apply policies and procedures that meet its requirements on the protection of any personal data they send or receive.

There is also a risk that we will find ourselves in the same position as the US, whose controls are not regarded as sufficiently strong to protect data transported from the EU. As such, assurances have to be given and intricate contracts must be written for each new job individually – adding an onerous degree of extra hours, cost and complexity every time.

With the only uncertainty being the length of time British organisations will have a statutory obligation to work to GDPR – and the strong likelihood that all will have to comply in order not to suffer commercially anyway – it is sensible to take a number of preparatory steps now.



Key players and decision makers must be made aware of GDPR, what it requires and the impact it will have – while all personal data held, where it came from and with whom it is shared must be documented. Current privacy notices should be reviewed and a timescale put in place to bring these up to GDPR requirements by or before May 2018.

Look at the various types of data processing carried out and be sure that there is a legal justification for doing so, which must be documented. Review how consent is sought, obtained and recorded and whether changes are required – particularly with the details of children, whose ages must be reliably verified.

Companies have to be sure that they have the right procedures in place to detect, report and investigate any data breach – and should formally designate somebody to take responsibility for data protection compliance and what action to take against all GDPR’s demands.

The Information Commissioner’s Office has prepared a straightforward pdf guide to what needs to be done, which can be found searching for ‘GDPR’ at www.ico.co.uk.

Whether or not UK companies will have to formally comply with GDPR forever will depend on Brexit negotiations and the sort of relationship that a future administration forges with the EU. As in other areas of commercial law, it is likely that they will have to obey whatever rules the bloc demands if they are to do business there – even if for simple commercial expedience.

Chloe Horrocks is a solicitor in the Commercial team at hlw Keeble Hawson.