GDPR - GPC - Blog 9

9 Blog Nine Fines

Fines, fines, fines

We’re all doomed if you believe the scaremongers, new fines under GDPR enough to obliterate any UK general practice from the financial landscape, up to 20 million Euros, yes that’s twenty, pause, million, pause, euros, or roughly £17M if you’re not counting the pennies. These sums are more than enough to grab anyone’s attention and will likely scare the s***e out of any NHS contract holding GP but a reality check reveals a somewhat less threatening picture.

Fines, or rather “administrative fines” are first mentioned in recital (paragraph in non EU language) 1482 of GDPR and are specified in detail in Articles 583 (which enables them) and 834 which indicates how much can be fined and what factors are to be taken into account when determining the amount. Now for GPs, because we handle special category data, and lots of it, and for a long time, and for lots of patients, we are right on the riskiest end of the spectrum so it’s worth our being aware of the new fines and what surrounds them.

Firstly it will be the ICO who determines whether a contravention has occurred. Then they will decide if a fine is appropriate, they are by no means the default outcome.

If a fine is thought to be necessary it is then judged against a set of criteria that are pretty obvious to any reasonable person; what was the nature of the contravention? What was the scope or gravity? How many DSs were involved? What was the data, what type of data, how much, for how long, where did it go? Additionally the ICO will take into account the DCs behaviour, was there wilfulness or negligence or anything “prior”? Did the DC have any policies? Did they self-report or was it uncovered? What have you done to mitigate or resolve the problem? Have you co-operated with the ICO? Basically if you are a bad boy and you knew it, you are in trouble. For a fuller explanation see the official GDPR guidance5.

Now for GPs some of the answers to those questions are by default set at max merely because of what we do. This means whereas GDPR has two levels of potential fines (10M euro or 2% worldwide turnover is the lower) GP fines will have an upper limit of double that, hence the 20M euros headlines.

And look at those words carefully, its not profit, or funds, or reserves, its turnover. So you get fined whether or not you are making a profit or a loss.

Turnover is not actually defined in GDPR but its common accounting definition is total “sales” net of discounts and taxes. For an NHS General Practice its “sales” are the services it delivers under its contract(s). So for an NHS general practice you would be fined on your total NHS and private income streams, before expenses, no matter what the level of profit.

Because its turnover and not profit in effect the effective % is geared up; take a practice, 6,000 patients, £1M Turnover, £200,000 profit, a 4% fine on turnover equals 20% of the profits.

All rather worrying which is where the ICO herself, Helen Denham, steps in. She has produced some very reassuring and sensible comments in her blog1 viz;

The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick


Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned”.

And being a person you can trust the proof of the pudding is in the ICO’s web site which reveals what they have actually levied as fines in the English health care market, ; select the TYPE “Monetary penalties” box and SECTOR “Health” and you’ll see only 3 fines in the last 3 yrs. Compare that with the numbers above and the fact there have been 6 prosecutions against healthcare workers in the last 12 months. 

My message is simple, the potential fines are huge, in reality 4% of the turnover of an NHS practice could be as much as 10 -15% of any profit the likelihood of actually being fined almost non-existent. GDPR is not difficult or massively complex, most of what’s in it is a tightening up what’s already there. Do it right, or at least show you’ve made an effort to do it right and your wallet will remain unharmed.


Dr Paul Cundy

GPC IT Policy Lead

11th April 2018



2, GDPR original text page 26,


3, Article 58, Page 66

All Content and Images are  the Copyright property of
The Mid Mersey Local Medical Committee. 
© 2014 - 2021. All Rights Reserved.