One in every four organisations is a victim of a data breach, as per the Cost of Data Breach Study: Gdpr Compliance Checklist Global for 2017 by the Ponemon Institute. Once the GDPR comes into full effect, it is not only the cost of the data loss that the organisations will be dealing with. They will have an additional major cost to consider. The cost of fines and Penalties for data loss under GDPR can go as high as €20 million.
So, is it only a matter of time before every data controller will be shelling out millions to stay in business?
GDPR fines and Penalties are deliberately prohibitive. There is no doubt about it. But, with 25% of the organisations being hit by data breaches, being careless with user data is no longer an option. Does this mean that the growth of data-based technologies, such as big data and data analytics, is being smothered by the General Data Protection Regulation?
That’s not exactly true. All GDPR is doing is disincentivising companies for being careless with their data. Everything from data collection, processing, to storage has to be secured using the latest available technologies. GDPR is also about putting power back in the hands of the consumers who will now have the right to know exactly what is happening with their data and why.
Think of GDPR fines and Penalties as a form of a push for ensuring that the companies go the extra mile to comply with the regulations laid down under the GDPR. GDPR fines and Penalties have been divided into different categories, and each of them applies to the degree of offence committed by an organisation. Here is everything there is know about the GDPR fines.
Everybody is Talking About It
General Data Protection Regulation (GDPR) has become a priority item for the boards of a large number of global and domestic organisations. The most eye-catching component of the new data protection regulation is the enormous amounts of fines it levies on the offenders. GDPR requires organisations to make significant changes to their processes and digital infrastructures. Noncompliance can seriously hurt the bottom line of such a company, and this is why organisations have taken significant steps towards ensuring GDPR compliance.
It is important to understand that while the GDPR fines and Penalties will be a huge driving force behind enforcing the law, they are not the only reprimanding power available under GDPR to the Information Commissioner’s Office. They can issue warnings, enforce a ban on processing data for a stipulated time frame, order the correction of flaws in company processes, and even suspend the permissions to export data to foreign countries.
As fines and Penalties are an extremely important element of the entire GDPR framework, anyone who is going to be impacted by the regulation should make it a point to know everything there is to know about them. Here is a quick summary of GDPR fines and the conditions under which they will be applicable.
Coming to the Fines
Article 83 of the GDPR document talks about the fines and Penalties in detail and requires them to be “effective, proportionate and dissuasive”. The GDPR follows a multi-tiered structure for the administrative fines. All such fines and Penalties are not mandatory. So, the supervisory authority need not levy one or more of them. But, they can collect them if they find it a suitable punishment for an offence. What this means is that these fines are discretionary. Also, they are levied per-case-basis.
Effective means that organisations will not be able to find a shortcut to make the fines and Penalties go away because the GDPR requires them to make permanent structural changes and not temporary superficial ones. Such changes cannot be made in a day. Proportionate means that the authorities will take up every offender case-by-case and they will be levied fines relative to the severity of the offence, compliance history, and more.
Dissuasive is one of the aptest ways to define the GDPR fines. The fines, if levied, will make an organisation pay through its teeth. These are hefty fines that can make a serious dent on the annual income statements of an organisation. This means that organisations will have a strong reason to avoid them. In other words, it will give them a strong reason to comply.
Why Such Hefty Fines?
The compliance requirements of GDPR are pretty elaborate. Organisations will have to invest in infrastructure and training to ensure compliance. Policymakers had to give the organisations a strong enabler to get them to comply with such a regulation. The fines are the most compelling reason why organisations are so invested in making sure that they comply with the new regulation.
What is the Fine Structure?
The fine administrative structure of the GDPR has two levels. Which fine is levied is decided in consideration of the regulation that the organisation has flouted. The two tiers are:
- Up to €10 million or 2% of the global annual turnover*
- Up to €20 million or 4% of the global annual turnover*
Higher of the two is applicable
Let’s break down the two types of administrative fines to understand how and when they are levied.
- Up to €10 million or 2% of the global annual turnover*
This fine is applicable when the company does not comply with the regulations listed in Article 83(4) of the GDPR document. This article talks about regulations related to properly securing data and recording data processing activities, co-operating pleasantly with the supervising authorities, notifying the data subjects and the authorities about the data breach, data protection impact assessment, data protection officers and their duties, certifications, and more.
- Up to €20 million or 4% of the global annual turnover*
This fine is applicable when the company does not comply with the regulations listed in Article 83(5) of the GDPR document.
This article talks about regulations related to consent, processing of special data categories, and other basic tenets of data processing under GDPR. It also includes the rights of a data subject as well as the proper transfer of data to a recipient who is based in a foreign country or a global organisation.
These are the maximum amounts of fines and Penalties that organisations will have to pay, and the amount can vary, depending on the severity of the offence. As already mentioned, the fine for each organisation is considered on a per-case basis. The amount of fine to be paid by an organisation depends on the following factors:
- The nature of the infringement and its gravity. This is ascertained by taking into account what kind of data the organisation processes, how many data subjects are affected by the breach, and to what extent they are affected by the data breach.
- Whether the organisation has infringed the regulation due to negligence or is it an intentional infringement by the organisation, automatically, it also takes into account the technical and organisational measures undertaken by the data controller and the processor to secure the data.
- Whether the organisation has taken any kind of measures to minimise the damage suffered by the data subjects due to the breach.
- Whether the data controller or a processor is a repeat offender.
- How the organisation cooperates with the authorities to correct the non-compliance as well as mitigate the negative impact of the infringement on the data subjects. They also take into account how the infringement came to light and how the organisation reported the incident.
- The authorities will take into account what categories of personal data are impacted by the data breach and take action accordingly.
- Whether the organisation has benefitted from the infringement in any way.
- It is also taken into consideration whether the data controller or the processor has been previously booked for the same infringement. If that is the case, then it is not penalized for the separate infringements. Rather, it is considered to have committed the most serious infringements of the data protection regulation and fined accordingly.
Does GDPR ensure compliance only through fines?
No, there are many other forms in which GDPR will ensure compliance. GDPR fines and Penalties have attracted a lot of attention in the media, but they are not the only way of making the companies comply with the GDPR guidelines. There is elaborate sanction machinery in place to dissuade companies from flouting these regulations.
If there is a suspicion that a company is flouting the GDPR Regulations, then the Data Protection Authority in that country swings into action. It is up to this authority to conclude whether a company has committed a breach. Now, the decision lies with this Data Protection Authority to decide whether they want to impose a fine or not. As has already been stated, they consider each case independently and then determine the degree of infringement and level a proportional fine.
If the authority decides not to impose a fine, then it can undertake other countermeasures to dissuade the companies from non-compliance. The Data Protection Authority takes into account the nature of the rules flouted by the organisation, the actions were taken by the organisation to minimize the impact of the damage caused to other participants, and of course, records or infringements committed by the organisation. Authorities can reprimand them for the infringements and leave a warning on record, suspend their data transfers to foreign countries, impose a temporary or even permanent ban on data collection and processing, and so on. The fines and Penalties and other sanctions are not mutually exclusive. They can be used together to ensure that the offending organisation gets a proportionate penalty.
The fines and Penalties the reprimands are the punishments that the organisations will have to deal with on the administrative end. But, there are other more serious costs, depending on the severity and the extent of the data breach. These costs relate to the claims separately filed by the data subjects, whose data have been compromised due to the laxity showcased by the organisation. This proves to be a double whammy for such organisations who are already reeling under the administrative fines and reprimands. They are dealing with a lot of financial stress and multiple individual claims by data subjects can put even more stress on their balance sheets.
Hence, the organisations have all the more reasons to comply with the GDPR to avoid any kind of fines and claims.
How to Avoid GDPR Fines and Penalties?
The simple and straightforward answer is – comply with GDPR.
Even when the organisations cannot ensure complete compliance with GDPR Compliance Checklist, they can avoid hefty GDPR fines by making sure that they have taken all the necessary steps to be GDPR-compliant. But, that’s easier said than done. Your priority should be to understand the regulations that are considered more sacrosanct by GDPR (and hence attract more fines). It is critical for organisations to first plug any holes in those areas. For instance, updating consent forms, beefing up the security of the special categories of data, making sure that the data sent to foreign countries is properly encrypted and secured, data subjects are informed immediately when there is a breach, and so on. Once you have taken care of the big-ticket items, you can move to more general data protection measures like training the staff, finding out about more cutting-edge security measures available in the market, and so on.
Under Gdpr Compliance Checklist, organisations simply cannot enjoy any kind of immunity from fines. The system is not built that way. So, the best way to avoid any kind of fines is to bring in a professional who can help with updating the current organisational systems to the GDPR standards. Another alternative that organisations are gravitating towards is cyber insurance. Organisations can use it to safeguard themselves from the hefty fines while they make their organisational structures more compliant with GDPR. Cyber insurances differ in their offerings. So, it is important first to understand the kind of coverage they offer and then purchase one.
It is important to remember that a data breach does not essentially translate into a million-dollar fine for the organisations. The Data Protection Authority in each country takes a granular approach to understand the case. If an organisation can convince the authority that they are taking all the necessary steps to safeguard the privacy of their data subject, then they can avoid the fines. However, it is important to remember that the punishments for repeat offenders are severe.
Stay Safe. Act Now
There is not a lot of clarity on how GDPR compliance checklist – fines and Penalties work. But, just focusing on the GDPR fines is not the best way of looking at what is essentially a business problem. The idea of GDPR is to bring about data security in fast-evolving cyberspace. Organisations should do the same. Instead of overthinking the fines and ways to mitigate them, organisations should improve the systems they use to collect and process consumer data. Once they start respecting the privacy of their data subjects and start running more transparent operations, they will not have to worry about the GDPR compliance checklist and fines anymore.
Do you think GDPR fines and Penalties are the right way to ensure the privacy of the residents of the EU states?