GDPR Compliance Checklist: Fines and Penalties

One out of four organisations is a victim of a data breach, according to the Cost of Data Breach Study: GDPR Compliance Checklist Global for 2017 by the Ponemon Institute. Once the GDPR came into full effect, it is not only the cost of the data loss that an organisation has to deal with. They also have a much higher additional cost to consider. Penalties for non-compliance with GDPR are up to €20 million or 4% of the annual turnover (whichever is higher).

So is it only a matter of time before every data controller will be shelling out millions to stay in business?

GDPR fines and penalties are deliberately prohibitive. There is no doubt about it. But with 25% of the organisations being hit by data breaches being careless with user data is no longer an option. Does this mean that the growth of data-based technologies, such as big data and data analytics, is being smothered by the General Data Protection Regulation (GDPR)?

That is not exactly true. All GDPR is doing is disincentivizing companies for being careless with their data. Everything from data collection, processing, to storage has to be secured using the latest available technologies. GDPR is also about putting power back in the hands of the consumers who will now have the right to know exactly what is happening with their data and why.

Think of GDPR fines and penalties as a form of a push for ensuring that the companies go the extra mile to comply with the regulations laid down under the GDPR. GDPR fines and penalties have been divided into different categories and each of them applies to the degree of the offence committed by an organisation. Here is everything there is know about GDPR fines.

gdpr fines and penalties

Everybody is talking about It

General Data Protection Regulation (GDPR) has become a priority item for the boards of a large number of global and domestic organisations. The most eye-catching component of the new data protection regulation is the enormous amounts of fines it levies on the offenders. GDPR audit requires organisations to make significant changes to their processes and digital infrastructures. Non-compliance can seriously hurt the bottom line of such a company, and this is why organisations have taken significant steps towards ensuring GDPR compliance.

It is important to understand that while the GDPR fines and penalties will be a huge driving force behind enforcing the law, it is not the only reprimanding power available under GDPR to the Information Commissioner’s Office (ICO). They can issue warnings, enforce a ban on processing personal data for a stipulated time frame, order the correction of flaws in company processes, and even suspend the permissions to transfer personal data to foreign countries.

As fines and penalties are an extremely important element of the entire GDPR framework, anyone who is going to be impacted by the regulation should make it a point to know everything there is to know about this regulation. Here is a quick summary of GDPR fines and the conditions under which they will be applicable.

Coming to the fines

Article 83 of the General Data Protection Regulation (GDPR) talks about the fines and penalties in detail and requires these to be “effective, proportionate and dissuasive”. The GDPR follows a multi-tiered structure for the administrative fines. All such fines and penalties are not mandatory. So, the supervisory authority need not levy one or more of these. But, they can collect these if they find it a suitable punishment for an offence. What this means is that these fines are discretionary. Also, they are levied on a case by case basis.

Effective means that organisations will not be able to find a shortcut to make the fines and penalties go away because the GDPR requires them to make permanent structural changes and not temporary superficial ones. Such changes cannot be made in a day. Proportionate means that the authorities will take up every offender case-by-case and they will be levied fines relative to the severity of the offence, compliance history, and more.

Dissuasive is an apt way to define GDPR fines. The fines, if levied, will make an organisation pay through its teeth. These are hefty fines that can make a serious dent on the annual income statements of an organisation. This means that organisations will have a strong reason to avoid these fines. In other words, it will give them a strong reason to comply.

Why such hefty fines?

The compliance requirements of GDPR are pretty elaborate. Organisations will have to invest in infrastructure and training to ensure compliance. Policymakers had to give the organisations a strong enabler to get them to comply with such a regulation. The fines are the most compelling reason why organisations are so invested in making sure that they comply with the new regulation.

What is the fine structure?

The fine administrative structure of the GDPR has two levels. Which fine is levied is decided in consideration of the regulation that the organisation has flouted. The two tiers are:

  1. Up to €10 million or 2% of the global annual turnover (whichever is higher)
  2. Up to €20 million or 4% of the global annual turnover (whichever is higher)
gdpr fines and penalties

Higher of the two is applicable

Let’s break down the two types of administrative fines to understand how and when they are levied.

  • Up to €10 million or 2% of the global annual turnover (whichever is higher)

This fine is applicable when the company does not comply with the regulations listed in Article 83(4) of the GDPR document. This article talks about regulations related to properly securing data and recording data processing activities, co-operating pleasantly with the supervising authorities, notifying the data subjects and the authorities about the data breach, data protection impact assessment, data protection officers and their duties, certifications, and more.

  • Up to €20 million or 4% of the global annual turnover (whichever is higher)

This fine is applicable when the company does not comply with the regulations listed in Article 83(5) of the GDPR document.

This article talks about regulations related to consent, processing of special data categories, and other basic tenets of data processing under GDPR. It also includes the rights of a data subject as well as the proper transfer of data to a recipient who is based in a foreign country or a global organisation.

These are the maximum amounts of fines and penalties that organisations will have to pay, and the amount can vary, depending on the severity of the offence. As already mentioned, the fine for each organisation is considered on a case by case basis. The amount of fine to be paid by an organisation depends on the following factors:

  • The nature of the infringement and its gravity. This is ascertained by taking into account what kind of data the organisation processes, how many data subjects are affected by the breach, and to what extent they are affected by the data breach.
  • Whether the organisation has infringed the regulation due to negligence or is it an intentional infringement by the organisation, automatically, it also takes into account the technical and organisational measures undertaken by the data controller and the processor to secure the data.
  • Whether the organisation has taken any measures to minimize the damage suffered by the data subjects due to the breach.
  • Whether the data controller or a processor is a repeat offender.
  • How the organisation cooperates with the authorities to correct the non-compliance as well as mitigate the negative impact of the infringement on the data subjects. They also take into account how the infringement came to light and how the organisation reported the incident.
  • The authorities will take into account what categories of personal data are impacted by the data breach and take action accordingly.
  • Whether the organisation has benefitted from the infringement in any way.
  • It is also taken into consideration whether the data controller or the processor has been previously booked for the same infringement. If that is the case, then it is not penalized for the separate infringements. Rather, it is considered to have committed the most serious infringements of the data protection regulation and fined accordingly.

Does GDPR ensure compliance only through fines?

No, there are many other forms in which GDPR will ensure compliance. GDPR fines and penalties have attracted a lot of attention in the media, but they are not the only way of making the companies comply with the GDPR guidelines. There is elaborate sanction machinery in place to dissuade companies from flouting these regulations.

If there is suspicion that a company is flouting the GDPR regulations, then the Data Protection Authority in that country swings into action. It is up to this authority to conclude whether a company has committed a breach. Now, the decision lies with this Data Protection Authority to decide whether they want to impose a fine or not. As has already been stated, they consider each case independently and then determine the degree of infringement and level a proportional fine.

If the authority decides not to impose a fine, then it can undertake other countermeasures to dissuade the companies from non-compliance. The Data Protection Authority takes into account the nature of the rules flouted by the organisation, the actions that were taken by the organisation to minimise the impact of the damage caused to other participants and records or infringements committed by the organisation. Authorities can reprimand them for the infringements and leave a warning on record, suspend their data transfers to foreign countries, impose a temporary or even permanent ban on data collection and processing and so on. The fines, penalties and other sanctions are not mutually exclusive. They can be used together to ensure that the offending organisation gets a proportionate penalty.

The fines and penalties that the organisations will have to deal with on the administrative end. But, there are other more serious costs, depending on the severity and the extent of the data breach. These costs relate to the claims separately filed by the data subjects, whose data has been compromised due to the laxity showcased by the organisation. This proves to be a double whammy for such organisations who are already reeling under the administrative fines and reprimands. They are dealing with a lot of financial stress and multiple individual claims by data subjects can put even more stress on their balance sheets.

Hence, the organisations have all the more reasons to comply with the GDPR to avoid any fines and claims.

gdpr fines and penalties

How can an organisation avoid GDPR fines and penalties?

The simple and straightforward answer is – comply with the  General Data Protection Regulation (GDPR).

Even when the organisations cannot ensure complete compliance with the GDPR compliance checklist, they can avoid hefty GDPR fines by ensuring that they take all the necessary steps to be GDPR compliant. But, that’s easier said than done. Your priority should be to understand the regulations that are considered more sacrosanct by GDPR (and hence attract more fines). It is critical for organisations to close any gaps in those areas. For example, updating consent forms and beefing up the security of the individual data categories. Ensuring that the personal data that is sent to foreign countries is properly encrypted and secured, data subjects are informed right after when there is a breach. Once you have taken care of the big-ticket items, you can then move to more general data protection measures like training the staff, finding out about more cutting-edge security measures available in the market, and so on.

Under the GDPR compliance checklist, organisations cannot enjoy any immunity from fines. The system is not built that way. So, the best way to avoid any fines is to bring in a professional who can help with updating the current organisational systems to the GDPR standards. Another alternative that organisations are gravitating towards is cyber insurance. Organisations can use it to safeguard themselves from the hefty fines while they make their organisational structures more compliant with GDPR. Cyber insurances differ in their offerings. So, it is important first to understand the kind of coverage they offer and then purchase one.

It is important to remember that a data breach does not essentially translate into a million-dollar fine for an organisation. The Data Protection Authority in each country takes a granular approach to understand the case. If an organisation can convince the authority that they are taking all the necessary steps to safeguard the privacy of their data subject, then they can avoid the fines. However, it is important to remember that the punishments for repeat offenders are severe.

Stay safe. Act now

It is still not clear how the General Data Protection Regulation (GDPR) fines and penalties work. But, just focusing on the GDPR fines is not the best way of looking at what is essentially a business problem. The idea of GDPR is to bring about data security in fast-evolving cyberspace. Organisations should do the same. Instead of overthinking the fines and ways to mitigate them, organisations should improve the systems they use to collect and process personal data. Once they start respecting the privacy of their data subjects and start running more transparent operations, they will not have to worry about the GDPR compliance checklist and fines anymore. Organisations need to ensure that they conduct regular GDPR audits, have proper policies & procedures in place to ensure that they are compliant, train their staff to meet GDPR obligations and ensure that they implement GDPR compliant cookie consent solutions on their company websites as well as seek advice from data protection officers/ privacy experts in case of data breaches.