What happens to companies that fail GDPR compliance?

GDPR is here. New rules will affect EU data. It’s best to follow them. Companies ready for GDPR can continue working. They know they’ve done the right thing. Companies that aren’t ready may have problems. If your company (even accounting and bookkeeping services) doesn’t follow GDPR, here’s what you should know about possible penalties.

GDPR rules overview

• Any company that collects or uses EU data must follow GDPR. This includes if they use other companies to help.
• There are two levels of penalties: technical mistakes and breaking main rules.
• Penalties include warnings and bans on using data.
• Businesses could face fines, pay for damages, and lose money because of a bad reputation.

These GDPR rules involve processes to follow. Companies need clear steps to follow regularly and when problems happen. Accountants should know about the penalties for breaking these rules. Here’s a look at the two penalty levels.

Two penalty levels

Level 1: Not following GDPR’s technical rules

The lower penalty level is for mistakes in using the right technical steps. The maximum fine is €10 million or 2% of the company’s yearly income, whichever is higher. It’s important to note that it’s the income, not the profit. This means a company with the “maximum” penalty will pay at least €10 million. If the company’s income is over €500 million, the fine will be higher. This fine is very large. While meant to discourage mistakes, it could still happen. Besides fines, the company could lose its reputation and damage its business. Also, if many people are affected by the mistake, they might take legal action, which could hurt the company even more.

Level 2: Breaking data rights; Not following main GDPR rules

The higher penalty is for breaking the rights of people’s data. This means breaking the main ideas behind GDPR. The fine is €20 million or 4% of the company’s yearly income, whichever is higher. Again, it’s the income, not the profit. Doubling the fine percentage and using “whichever is higher” means a company with income under €500 million could pay up to €20 million. Companies with higher income will pay even more. Level 2 fines might happen more often because they involve breaking people’s rights. This means people’s privacy was violated. Companies will likely be fined because of the people affected. Here too, the company could lose its reputation and face legal action.

How penalties are decided

The penalty amount will depend on:

• The type of data that was broken.
• Past mistakes by the company.
• The reasons for the mistake: carelessness or on purpose.
• Following data protection rules.
• Whether the company reported the mistake correctly.
• How much the company helped the authorities.
• What the company did to fix the problem.
• How much damage the mistake caused.
• Whether the company told the people affected.
• Security steps to prevent mistakes.
• Any reasons that make the company less responsible.

What a data processing ban means

Besides fines and legal action, GDPR can ban companies from using data. The ban can be temporary or permanent. Either way, it can ruin a company. In today’s world, not using data can shut down a company for a long time. A permanent ban means the end of the business. No company wants this. Even a one-month ban can make clients leave. Clients won’t want to wait a month to continue their work because of a company’s mistake. This means companies could face fines, legal action, and a ban. These penalties are meant to discourage mistakes. They won’t happen without a full investigation. But being investigated is still a problem, and regaining clients’ trust will be hard.

All accounting and bookkeeping services risk being banned if they don’t follow GDPR. Working with an outsourced accounting firm like Outbooks can help accounting and bookkeeping companies in the UK get work done while staying compliant.

Comparison with ICO fines

Comparing past fines from the ICO (the UK’s data protection authority) with what GDPR fines would be is alarming. GDPR fines could be almost 38 times higher. For example, a £50,000 fine under ICO could be £1.9 million under GDPR. This huge difference could destroy a company.

Conclusion

Following GDPR is necessary for companies handling EU data. Being GDPR compliant doesn’t have to cost a lot. It involves changing processes. Better security will make the business safer. With frequent data breaches, it’s important to have steps to prevent and lessen them.