When General Data Protection Regulation (GDPR) came into full effect, much of the talk revolved around shockingly high fines that GDPR prescribed.
However, GDPR fines are not intended to ruin your business or harm the economy or be the sole reason for GDPR compliance.
They are designed to put more weight on what GDPR advocates, make companies responsible for how they handle personal data, and make non-compliance non-profitable.
Since GDPR applies to a whole array of organizations, from small to medium to large enterprises, GDPR fines are scalable and flexible and the value of fines will greatly depend on multiple factors.
It is important to note that there is no simple formula for calculating GDPR fines. However, the criteria and factors that the data protection authority will take into account are clearly defined by the GDPR.
So let’s see how GDPR fines are grouped and what will affect the DPA’s final decision.
Two tiers of GDPR fines
GDPR recognizes two levels of GDPR fines depending on the severity of the violation.
1. GDPR fines for less severe violations
Less severe violations can result in penalties up to €10 million, or in the case of an undertaking, 2% of the organization’s global turnover of the preceding fiscal year, whichever is higher.
The lower tier applies mostly to violations of procedural or technical nature, like violations connected with record-keeping, data security, data protection impact assessments (DPIA), data protection by design and default, and data processing agreements, and include violations of:
- the obligations of the controller and the processor (Articles 8, 11, 25 to 39)
- the obligations of the certification body (Articles 42 and 43)
- the obligations of the monitoring body (Article 41(4))
2. GDPR fines for severe violations
For especially severe violations the fine framework can be up to €20 million, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
Severe GDR fines are often issued for violations relating to data protection principles, the legal basis for processing, information to data subjects, the processing of sensitive data, denial of data subjects’ rights, and data transfers to non-EU countries.
- Basic principles for processing, including conditions for consent (Articles 5, 6, 7, and 9) As an organization, you are obligated to process personal data based on one of the six lawful bases for processing. Processing must be done in lawful, fair, and transparent processing, among other things.
- Data subjects’ rights (Articles 12 to 22) – Respecting data subject rights and transparent information and communication for the exercise of those rights
- Transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49)
- Any obligations pursuant to Member State law
- Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority or failure to provide access in violation of Article 58(1)
- Non-compliance with an order by the supervisory authority
How are GDPR fines defined and calculated
Each EU country has a national data protection authority (DPA) – an independent public authority that supervises the application of the data protection law and defines the final amount of GDPR fines, among other things.
Data Protection Authorities are tasked with the imposition of effective, proportionate, and dissuasive fines.
The DPA is responsible for considering all important aspects of the violation, the seriousness of the infringement, its effect on individuals, the level of cooperation the organization demonstrated in the process, and use that information to define the amount of GDPR fine.
What does the DPA take into account when imposing a fine?
GDPR prescribes 11 important criteria that DPA uses to determine the amount of the penalty:
- Nature, gravity, and duration of the violation– the supervisory authority will take into account the number of data subjects that have been affected, the level of damage they underwent, the nature of the violation, why and how the violation occurred, and how long it lasted
- Intention– whether the violation was intentional or was it negligence
- Mitigation of the risk – did the organization take any type of action to mitigate the damage suffered by data subjects
- Responsibility – the degree of responsibility the organization has demonstrated so far regarding the implementation of appropriate technical and organizational measures
- Previous violations – any relevant previous infringements by the organization
- Level of cooperation – the level of cooperation with the supervisory authority that the organization demonstrated in order to remedy the violation and mitigate the possible effects
- Data categories– the categories of personal data affected by the violation
- Notification of the violation – whether (and to what extent) did the organization notify supervisory authority about the violation
- History – if any corrective measures were previously issued against the organization regarding the same subject.
- Codes of conduct – did the organization adhere to approved codes of conduct or approved certification mechanisms
- Aggravating or mitigating factors – for example, if there were financial benefits gained or losses avoided from the violation
Should you be worried about GDPR fines?
Getting a GDPR fine can undermine the organization’s efforts to build relationships based on trust with its customers.
Aside from the financial damages, it also affects brand value, investor appeal, business operations, and external relationships followed by bad publicity.
However, Data Protection Authority will most likely use the GDPR fine as a last resort, which will in some cases be preceded by warnings or interventions.
If the DPA investigation uncovers intentional infringement of the GDPR, if the violation is persistent over a longer period of time, or if the organization knowingly and repeatedly violates GDPR and puts individuals’ personal data at risk, this will all add to the final amount of fine.
The DPA will also take into account, among other factors the size of the organization, and the turnover.
However, even if the violation occurs, you will probably have the opportunity to influence the final value of the fine by providing documentation and cooperating with the DPA.
It is always recommended to take a proactive approach rather than reactive and act before any privacy risk even occurs.