GDPR fines 2020: See how they affect your business and whether you need to take precautionary measures. EU and Data Protection Agencies are actively trying to increase awareness on the subject.
Are you subject to the fines?
EU’s General Data Protection Regulation (GDPR) was drafted to empower the EU citizens and protect their personal data. Whether this data is used for business marketing purposes, research or product improvement, EU citizens are eligible to control the usage and collection of information relating to them.The penalty under GDPR has a two-tiered fine structure. Whereby, relatively minor infringements are “subject to administrative fines up to €10 million, or in the case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher”. And the serious ones are “subject to administrative fines up to €20 million, or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
Over time the application of the EU GDPR has improved amongst businesses operating in the EU. Here is some greater insight on how it can affect your business:
#1 Higher fine possibilities
The Polish data protection agency, known as the UODO, issued its first GDPR fine on March 26, last year, this was a fine of €220,000 to an unnamed firm. This firm intentionally violated the GDPR by revealing public data of about six million Polish citizens, including their names, email addresses, telephone numbers, and addresses. But, they only extracted consent from 90,000 data subjects for the use of information.
This was one of the earliest precedents of the EU GDPR law enforcement in terms of consent collection.
#2 Reduction of fines via cooperation
Knuddels.de of Germany was a victim of a data breach that exposed 330,000 users’ email addresses in September 2018. Knuddels took steps to resolve the situation, setting good data breach management thresholds. These steps included informing its users of the breach, temporarily deactivating the affected accounts, reporting the breach to the data protection agency and ensuring the improvement of the security of its platform.
In response, the Federal Commissioner for Data Protection (BfDI) penalised them with a fine of €20,000, which in face of the “exemplary cooperation” and transparency was a lighter punishment than it would have been otherwise.
#3 Fines do not spare any business
The EDPB shared its preliminary report examining the initial implementation of the GDPR. The report concluded the fine revenue of the EU GDPR to be €55,955,871—but about 90 per cent of this revenue was derived from a single €50 million fine that Google received from CNIL, the French data protection agency.
#4 Future of GDPR fines
The Dutch framework is a clear framework for the application of the EU GDPR and can help to future proof organisations. This is divided into four categories of violations. There is an actionable ‘’ default” fine for each category.
Category I applies to relatively simple or clerical violations. This is an accidental error or violation that may not be a major compliance failure.
Category II refers to when a company does not fulfil specific GDPR requirements regarding data processing. This is a failure to comply with the basic principles in any sense.
Category III violations refer to a company’s refusal to be transparent, and failures to manage data breaches.
Category IV violations are the most severe. These include other exploitative and unlawful data processing and storage practices.
UK’s ICO has limited the penalties for violating the ePrivacy Directive at £500,000. But, activities that fall in the scope of both the GDPR and the ePrivacy Directive are subject to greater penalties than this limit.
If you wish to prepare for the inevitable implementation of the stricter GDPR practices then you can protect your organisation by conducting a GDPR Audit