pwc gdpr compliance

GDPR | Seers Article

One out of four organisations is a victim of a data breach, according to the Cost of Data Breach Study: Gdpr Compliance Checklist Global for 2017 by the Ponemon Institute. Once the GDPR comes into full effect, it is not only the cost of the data loss that the organisations will be dealing with. They will have a high additional cost to consider. Penalties for losing data under GDPR can go as high as €20 million.

So, is it only a matter of time before every data controller will be shelling out millions to stay in business?

GDPR fines and Penalties are deliberately prohibitive. There is no doubt about it. But, with 25% of the organisations being hit by data breaches, being careless with user data is no longer an option. Does this mean that the growth of data-based technologies, such as big data and data analytics, is being smothered by the General Data Protection Regulation?

That’s not exactly true. All GDPR is doing is disincentivizing companies for being careless with their data. Everything from data collection, processing, to storage has to be secured using the latest available technologies. GDPR is also about putting power back in the hands of the consumers who will now have the right to know exactly what is happening with their data and why.

Think of GDPR fines and Penalties as a form of a push for ensuring that the companies go the extra mile to comply with the regulations laid down under the GDPR. GDPR fines and Penalties have been divided into different categories, and each of them applies to the degree of the offence committed by an organisation. Here is everything there is know about the GDPR fines.

gdpr fines and penalties


Everybody is Talking About It

General Data Protection Regulation (GDPR) has become a priority item for the boards of a large number of global and domestic organisations. The most eye-catching component of the new data protection regulation is the enormous amounts of fines it levies on the offenders. GDPR audit requires organisations to make significant changes to their processes and digital infrastructures. Noncompliance can seriously hurt the bottom line of such a company, and this is why organisations have taken significant steps towards ensuring GDPR compliance.

It is important to understand that while the GDPR fines and Penalties will be a huge driving force behind enforcing the law, they are not the only reprimanding power available under GDPR to the Information Commissioner’s Office. They can issue warnings, enforce a ban on processing data for a stipulated time frame, order the correction of flaws in company processes, and even suspend the permissions to export data to foreign countries.

As fines and Penalties are an extremely important element of the entire GDPR framework, anyone who is going to be impacted by the regulation should make it a point to know everything there is to know about them. Here is a quick summary of GDPR fines and the conditions under which they will be applicable.

Coming to the Fines

Article 83 of the GDPR document talks about the fines and Penalties in detail and requires them to be “effective, proportionate and dissuasive”. The GDPR follows a multi-tiered structure for the administrative fines. All such fines and Penalties are not mandatory. So, the supervisory authority need not levy one or more of them. But, they can collect them if they find it a suitable punishment for an offense. What this means is that these fines are discretionary. Also, they are levied per-case-basis.

Effective means that organisations will not be able to find a shortcut to make the fines and Penalties go away because the GDPR requires them to make permanent structural changes and not temporary superficial ones. Such changes cannot be made in a day. Proportionate means that the authorities will take up every offender case-by-case and they will be levied fines relative to the severity of the offense, compliance history, and more.

Dissuasive is an apt way to define GDPR fines. The fines, if levied, will make an organisation pay through its teeth. These are hefty fines that can make a serious dent on the annual income statements of an organisation. This means that organisations will have a strong reason to avoid them. In other words, it will give them a strong reason to comply.

Why Such Hefty Fines?

The compliance requirements of GDPR are pretty elaborate. Organisations will have to invest in infrastructure and training to ensure compliance. Policymakers had to give the organisations a strong enabler to get them to comply with such a regulation. The fines are the most compelling reason why organisations are so invested in making sure that they comply with the new regulation.

What is the Fine Structure?

The fine administrative structure of the GDPR has two levels. Which fine is levied is decided in consideration of the regulation that the organisation has flouted. The two tiers are:

  1. Up to €10 million or 2% of the global annual turnover*
  2. Up to €20 million or 4% of the global annual turnover*

gdpr fines and penaltiesHigher of the two is applicable

Let’s break down the two types of administrative fines to understand how and when they are levied.

  • Up to €10 million or 2% of the global annual turnover*

This fine is applicable when the company does not comply with the regulations listed in Article 83(4) of the GDPR document. This article talks about regulations related to properly securing data and recording data processing activities, co-operating pleasantly with the supervising authorities, notifying the data subjects and the authorities about the data breach, data protection impact assessment, data protection officers and their duties, certifications, and more.

  • Up to €20 million or 4% of the global annual turnover*

This fine is applicable when the company does not comply with the regulations listed in Article 83(5) of the GDPR document.
This article talks about regulations related to consent, processing of special data categories, and other basic tenets of data processing under GDPR. It also includes the rights of a data subject as well as the proper transfer of data to a recipient who is based in a foreign country or a global organisation.

These are the maximum amounts of fines and Penalties that organisations will have to pay, and the amount can vary, depending on the severity of the offense. As already mentioned, the fine for each organisation is considered on a per-case basis. The amount of fine to be paid by an organisation depends on the following factors:

  • The nature of the infringement and its gravity. This is ascertained by taking into account what kind of data the organisation processes, how many data subjects are affected by the breach, and to what extent they are affected by the data breach.
  • Whether the organisation has infringed the regulation due to negligence or is it an intentional infringement by the organisation, automatically, it also takes into account the technical and organisational measures undertaken by the data controller and the processor to secure the data.
  • Whether the organisation has taken any kind of measures to minimize the damage suffered by the data subjects due to the breach.
  • Whether the data controller or a processor is a repeat offender.
  • How the organisation cooperates with the authorities to correct the non-compliance as well as mitigate the negative impact of the infringement on the data subjects. They also take into account how the infringement came to light and how the organisation reported the incident.
  • The authorities will take into account what categories of personal data are impacted by the data breach and take action accordingly.
  • Whether the organisation has benefitted from the infringement in any way.
  • It is also taken into consideration whether the data controller or the processor has been previously booked for the same infringement. If that is the case, then it is not penalized for the separate infringements. Rather, it is considered to have committed the most serious infringements of the data protection regulation and fined accordingly.

Does GDPR ensure compliance only through fines?

No, there are many other forms in which GDPR will ensure compliance. GDPR fines and Penalties have attracted a lot of attention in the media, but they are not the only way of making the companies comply with the GDPR guidelines. There is elaborate sanction machinery in place to dissuade companies from flouting these regulations.

If there is a suspicion that a company is flouting the GDPR Regulations, then the Data Protection Authority in that country swings into action. It is up to this authority to conclude whether a company has committed a breach. Now, the decision lies with this Data Protection Authority to decide whether they want to impose a fine or not. As has already been stated, they consider each case independently and then determine the degree of infringement and level a proportional fine.

If the authority decides not to impose a fine, then it can undertake other countermeasures to dissuade the companies from non-compliance. The Data Protection Authority takes into account the nature of the rules flouted by the organisation, the actions were taken by the organisation to minimize the impact of the damage caused to other participants and records or infringements committed by the organisation. Authorities can reprimand them for the infringements and leave a warning on record, suspend their data transfers to foreign countries, impose a temporary or even permanent ban on data collection and pro