GDPR Compliance Checklist: Fines and Penalties

One out of four organizations is a victim of a data breach, according to the Cost of Data Breach Study: GDPR Compliance Checklist Global for 2017 by the Ponemon Institute. Once the GDPR came into full effect, it is not only the cost of the data loss that an organisation has to deal with. They also have a much higher additional cost to consider. Penalties for non-compliance with GDPR are up to €20 million or 4% of the annual turnover (whichever is higher).

So is it only a matter of time before every data controller will be shelling out millions to stay in business?

GDPR fines and penalties are deliberately prohibitive. There is no doubt about it. But with 25% of the organisations being hit by data breaches being careless with user data is no longer an option. Does this mean that the growth of data-based technologies, such as big data and data analytics, is being smothered by the General Data Protection Regulation (GDPR)?

That is not exactly true. All GDPR is doing is disincentivizing companies for being careless with their data. Everything from data collection, processing, to storage has to be secured using the latest available technologies. GDPR is also about putting power back in the hands of the consumers who will now have the right to know exactly what is happening with their data and why.

Think of GDPR fines and penalties as a form of a push for ensuring that the companies go the extra mile to comply with the regulations laid down under the GDPR. GDPR fines and penalties have been divided into different categories and each of them applies to the degree of the offence committed by an organisation. Here is everything there is know about GDPR fines.

Everybody is talking about It

General Data Protection Regulation (GDPR) has become a priority item for the boards of a large number of global and domestic organisations. The most eye-catching component of the new data protection regulation is the enormous amounts of fines it levies on the offenders. GDPR audit requires organisations to make significant changes to their processes and digital infrastructures. Non-compliance can seriously hurt the bottom line of such a company, and this is why organisations have taken significant steps towards ensuring GDPR compliance.

It is important to understand that while the GDPR fines and penalties will be a huge driving force behind enforcing the law, it is not the only reprimanding power available under GDPR to the Information Commissioner’s Office (ICO). They can issue warnings, enforce a ban on processing personal data for a stipulated time frame, order the correction of flaws in company processes, and even suspend the permissions to transfer personal data to foreign countries.

As fines and penalties are an extremely important element of the entire GDPR framework, anyone who is going to be impacted by the regulation should make it a point to know everything there is to know about this regulation. Here is a quick summary of GDPR fines and the conditions under which they will be applicable.

Coming to the fines

Article 83 of the General Data Protection Regulation (GDPR) talks about the fines and penalties in detail and requires these to be “effective, proportionate and dissuasive”. The GDPR follows a multi-tiered structure for the administrative fines. All such fines and penalties are not mandatory. So, the supervisory authority need not levy one or more of these. But, they can collect these if they find it a suitable punishment for an offence. What this means is that these fines are discretionary. Also, they are levied on a case by case basis.

Effective means that organisations will not be able to find a shortcut to make the fines and penalties go away because the GDPR requires them to make permanent structural changes and not temporary superficial ones. Such changes cannot be made in a day. Proportionate means that the authorities will take up every offender case-by-case and they will be levied fines relative to the severity of the offence, compliance history, and more.

Dissuasive is an apt way to define GDPR fines. The fines, if levied, will make an organisation pay through its teeth. These are hefty fines that can make a serious dent on the annual income statements of an organisation. This means that organisations will have a strong reason to avoid these fines. In other words, it will give them a strong reason to comply.

Why such hefty fines?

The compliance requirements of GDPR are pretty elaborate. Organisations will have to invest in infrastructure and training to ensure compliance. Policymakers had to give the organisations a strong enabler to get them to comply with such a regulation. The fines are the most compelling reason why organisations are so invested in making sure that they comply with the new regulation.

What is the fine structure?

The fine administrative structure of the GDPR has two levels. Which fine is levied is decided in consideration of the regulation that the organisation has flouted. The two tiers are:

  1. Up to €10 million or 2% of the global annual turnover (whichever is higher)
  2. Up to €20 million or 4% of the global annual turnover (whichever is higher)

Higher of the two is applicable (GDPR compliance checklist)

Let’s break down the two types of administrative fines to understand how and when they are levied.

  • Up to €10 million or 2% of the global annual turnover (whichever is higher)

This fine is applicable when the company does not comply with the regulations listed in GDPR document. This article talks about regulations related to properly securing data and recording data processing activities, co-operating pleasantly with the supervising authorities, notifying the data subjects and the authorities about the data breach, data protection impact assessment, data protection officers and their duties, certifications, and more.

  • Up to €20 million or 4% of the global annual turnover (whichever is higher)

This fine is applicable when the company does not comply with the regulations listed in Article 83(5) of the GDPR document.

This article talks about regulations related to consent. Processing of special data categories, and other basic tenets of data processing under GDPR. It also includes the rights of a data subject as well as the proper transfer of data to a recipient who is based in a foreign country or a global organisation.

Fines and penalties

These are the maximum amounts of fines and penalties that organisations will have to pay, and the amount can vary, depending on the severity of the offence. As already mentioned, the fine for each organisation is considered on a case by case basis. The amount of fine to be paid by an organisation depends on the following factors:

  • The nature of the infringement and its gravity. This is ascertain by taking into account what kind of data the organisation processes, how many data subjects affect by the breach, and to what extent they get affect by the data breach.
  • Whether the organisation has infringed the regulation due to negligence or is it an intentional infringement by the organisation, automatically, it also takes into account the technical and organizational measures undertaken by the data controller and the processor to secure the data.
  • Whether the organisation has taken any measures to minimize the damage suffered by the data subjects due to the breach.
  • Whether the data controller or a processor is a repeat offender.
  • How the organisation cooperates with the authorities to correct the non-compliance. Also mitigate the negative impact of the infringement on the data subjects. They also take into account how the infringement came to light and how the organisation reported the incident.
  • The authorities will take into account what categories of personal data impact by the data breach.

Does GDPR ensure compliance only through fines? (GDPR compliance checklist)

No, there are many other forms in which GDPR will ensure compliance. GDPR fines and penalties have attracted a lot of attention in the media. They are not the only way of making the companies comply with the GDPR guidelines. There is elaborate sanction machinery in place to dissuade companies from flouting these regulations.

If there is suspicion that a company is flouting the GDPR regulations, then the Data Protection Authority in that country swings into action. It is up to this authority to conclude whether a company has committed a breach. Now, the decision lies with this Data Protection Authority to decide whether they want to impose a fine or not. They consider each case independently and then determine the degree of infringement and level a proportional fine.


If the authority decides not to impose a fine, then it can undertake other countermeasures to dissuade the companies from non-compliance. The Data Protection Authority takes into account the nature of the rules of the organisation, the actions of the organisation to minimize the impact of the damage caused to other participants and records or infringements committed by the organisation. Authorities can reprimand them for the infringements. And leave a warning on record, suspend their data transfers to foreign countries, impose a temporary or even permanent ban on data collection and processing and so on. The fines, penalties and other sanctions are not mutually exclusive. They use together to ensure that the offending organisation gets a proportionate penalty.

The fines and penalties that the organizations will have to deal with on the administrative end. But, there are other more serious costs, depending on the severity and the extent of the data breach. This proves to be a double whammy for such organizations who are already reeling under the administrative fines and reprimands. They are dealing with a lot of financial stress. And multiple individual claims by data subjects can put even more stress on their balance sheets. (GDPR compliance checklist.)

Hence, the organizations have all the more reasons to comply with the GDPR to avoid any fines and claims.

How can an organisation avoid GDPR fines and penalties? (GDPR compliance checklist)

The simple and straightforward answer is – comply with the  General Data Protection Regulation (GDPR).

Even when the organizations cannot ensure complete compliance with the GDPR compliance checklist, they can avoid hefty GDPR fines by ensuring that they take all the necessary steps to be GDPR compliant. It is critical for organizations to close any gaps in those areas. For example, updating consent forms and beefing up the security of the individual data categories. Data subjects are informed right after when there is a breach. Once you have taken care of the big-ticket items. You can then move to more general data protection measures. For example training the staff, finding out about more cutting-edge security measures available in the market, and so on.

GDPR & Organization

Under the GDPR compliance checklist, organizations cannot enjoy any immunity from fines. The system is not built that way. So, the best way to avoid any fines is to bring in a professional who can help with updating the current organizational systems to the GDPR standards. Another alternative that organizations are gravitating towards is cyber insurance. Cyber insurances differ in their offerings. So, it is important first to understand the kind of coverage they offer and then purchase one. GDPR compliance checklist is important in this regard.

It is important to remember that a data breach does not essentially translate into a million-dollar fine for an organisation. The Data Protection Authority in each country takes a granular approach to understand the case. However, it is important to remember that the punishments for repeat offenders are severe. GDPR compliance checklist.

Stay safe. Act now

It is still not clear how the General Data Protection Regulation (GDPR) fines and penalties work. But, just focusing on the GDPR fines is not the best way of looking at what is essentially a business problem. The idea of GDPR is to bring about data security in fast-evolving cyberspace. Organisations should do the same. Organizations should improve the systems they use to collect and process personal data.

Organisations need to ensure that they conduct regular GDPR audits. They have proper policies & procedures in place to ensure that they are compliant. They train their staff to meet GDPR obligations. Ensure that they implement GDPR compliant cookie consent solutions on their company websites. Also they seek advice from data protection officers/ privacy experts in case of data breaches.