If you’re reading this, then you are no doubt aware of GDPR - the European Union’s trailblazing law that protects the personal data of its residents.
The mammoth fines handed out to tech giants pop up almost daily in the news and the €746 million thrown at Amazon is big enough for anyone to sit up and take notice.
But what does this mean for you?
This article will break down the system of financial penalties established by GDPR, and also look at how exactly these fines are determined.
What GDPR Fines are there?
The law has created a two-tier system for GDPR fines, based on the severity of non-compliance:
- Up to €10 million, or 2% of the worldwide annual revenue from the previous year - whichever is higher
- Up to €20 million, or 4% of the worldwide annual revenue - whichever is higher
Now, that’s a lot of money however you spin it, and these facts alone are enough to worry any business.
However, these are worst-case scenarios and the smallest fine dished out so far has been a somewhat more paltry €28 (Privacy Affairs).
What do these GDPR Tiers Mean?
Let’s investigate the differences.
Tier 1 - Up to €10m or 2% of global annual revenue
This is the lower tier for less severe infringements and is handed out to companies that violate GDPR in the following areas:
Type of organization
Data controllers and processors
Articles 8, 11, 25-39, 42, and 43
Companies must respect the rules governing data protection, lawful justification and so forth.
Articles 42 and 43
Accredited bodies must be transparent and unbiased.
Monitoring bodies for complaints and infringements
These organizations must follow established procedures, and be transparent and unbiased.
Tier 2 - Up to €20m or 4% of global annual revenue
This is the higher tier for more serious infringements, and is handed out to companies that violate GDPR in the following areas:
Basic principles for data processing
Articles 5, 6 and 9
This must be done in a lawful, fair, and transparent manner. Data can only be processed for specific purposes and must be stored securely, accurately and be up-to-date.
Conditions for consent
Companies need to have the documentation to prove when they have acquired consent as the justification for data processing activities.
Data subject rights
Individuals need to know what data a company is storing, and what they are doing with it. They also have the right to demand this information, as well as to correct, erase, or transfer it on request.
Data transfer to an international company or third country.
Before this is done, the EC must decide that the destination company/country meets GDPR data protection standards. The data transfers must also be done securely.
How are GDPR Fines Determined?
Given that the size of fines handed out to companies varies so much, it would be easy to think that data protection authorities (DPA) are pulling random numbers out of a hat.
In reality, DPA’s use Article 83 of the GDPR to determine what the fine should be. The factors outlined here include:
- The nature and size of malcompliance
- What precautions the company had in place to limit risk
- Whether the company notified affected data subjects about their infringements
- The type of personal data that was affected
- The company’s history with regard to data privacy issues
- The company’s level of compliance with their DPA during the remediation period
- How the company responded to GDPR warnings
- The intent with regard to data misuse, and whether negligence occurred
- How much mitigation exists to limit the damage done to data subjects
GDPR Fines are the Last Resort
The purpose of these financial sanctions is to discourage companies from ignoring GDPR requirements for personal data - not to force them into liquidation.
Payment of these fines is a legal requirement however, and company executives that don’t cough up risk imprisonment.
Having said that, GDPR sees fines as a last resort, and is working to provide better guidelines to help companies meet their data protection responsibilities.
And before giving out fines, GDPR will issue warnings, reprimands, and corrective orders. By adhering to these demands, you should be able to avoid the worst of these sanctions.
Are there any Non-Financial Penalties?
Other than GDPR fines, a strike from your data protection authority can have other consequences.
Firstly, companies will lose a lot of trust from customers. Nearly 70% of all global internet users are now proactively looking for ways to protect their online privacy (Statista).
Secondly, it stands to reason that companies that fall foul of GDPR enforcement work will lose business, with consequences for long-term prosperity.
And finally, companies risk being hit by a permanent ban on processing the personal data of EU residents. Given the importance of the internet in the modern world, this could well kill them off completely.
How to Avoid GDPR Fines
Data protection authorities are becoming more sophisticated and they are dishing out more fines than ever before. However, they are overworked and enforcement is still unable to keep up with the number of new cases for the moment.
The surest way to avoid fines is to comply with GDPR.
Given the paucity of official guidance out there, we’ve created a guide which can help companies meet GDPR requirements.
Why not have a look and set the wheels in motion?