Comply with hope, not fear
At Culture Republic, we’ve been clear from the beginning that the upcoming GDPR regulations are an opportunity, rather than something to fear. Complying with GDPR will mean you have greater clarity over what data you hold, who is responsible for that data and what you need to do if something goes wrong.
That being said, it’s also important to note the consequences of not complying with the regulations. For the past few months, GDPR has been grabbing headlines with promises of huge fines. While the fears are overblown, the size of the maximum fine is not: €20 million, or 4% of annual revenue for the last financial year, whichever is higher. This is a lot of money, and not a sum that many arts organisations will be able to pay lightly. However, these maximum fines belie a lot more nuance in the way that fines are allocated.
Factors when considering consequences
In the UK, the size of the fine you receive is determined by the Information Commissioner’s Office (if you are processing data belonging to citizens of other EU states then you will likely have to deal with that country’s Data Protection Authority).
When the ICO is deciding the size of the fine to impose, they must take several factors into consideration, including:
- The nature of the misconduct (e.g. number of people affected, the damage suffered, the duration of the infringement).
- Whether the infringement of the regulations was intentional or negligent.
- What your organisation did to prevent the infringement and to mitigate the damage on data subjects.
- Whether your organisation has had data infringements in the past.
- Whether the infringement was reported to the ICO swiftly enough and how well your organisation has cooperated with their investigation.
So although the maximum fine is hefty, the consequences for not complying with GDPR is likely to be dependent on your conduct – organisations that have taken all of the necessary steps to prepare for GDPR could fare much better than those who have not started.
Not sure how well your organisation is doing at getting GDPR-ready? Take our quick test and find out.