GDPR Fines Breakdown

If you are looking for how GDPR Fines are explained, you came to the right place! GDPR (General Data Protection Regulation) isn’t something that businesses should take lightly, not by a long shot. Getting fined by them for violating their regulations results in one’s company not only taking a financial hit, but likely receiving a very nasty hit to their reputation, depending on the gravity of the violation. 

When the European Union (EU) put GDPR in effect, with fines of up to 4% of annual revenue, it introduced some of the harshest penalties for a breach of data protection laws anywhere in the world. In doing this, the Data Protection Authorities created tremendous leverage to gain compliance with the regulations, ensure consent is received from data subjects and to reduce the likelihood of personal data violation.

Let’s be clear here, the EU isn’t playing when it comes to data protection and if you don’t follow their regulation, heads will roll--your company would go out of business--this goes double for you start ups out there--and ICO (Information Commissioner’s Office) won’t shed a tear. Also, don’t just think that just the company will be held responsible, but also the Data Protection Officer will be held accountable and any employee that was part of the violation. Below, we’ll be going over the penalties that would likely ensue.

Standard Maximum Fine

For the less severe infringements, companies can be fined up to €10 million, or a penalty of 2% of the company’s worldwide annual revenue if that’s a higher figure (They’ll always aim for the highest penalty). In General, this lower level of fine is applied when the violation is one listed in Article 83(4) of the GDPR, and these include issues associated with:

• The undertaking of an Impact Assessment.

• Prior consultation with the appropriate authorities before processing commences.

• The security in place for the processing of data.

• Communicating with supervisory authorities and data subjects where there is a personal data breach.

• The appointment and tasks allocated to the Data Protection Officer.

• Certification completed to ensure GDPR compliance.

• Integrating data protection ‘by design and by default.’

• Recording processing activities.

• Co-operating with the supervising authority.

Higher Maximum Fine

If an infringement is related to principles corresponding with consent, the right to data privacy and the right to be forgotten, then it is considered to have disregarded the fundamental principles and ethos of the GDPR. This means the offenders are subject to the higher tier of GDPR fines and penalties, which could be up to €20 million, or 4% of the previous financial year’s worldwide annual revenue, and that again, is whichever is the higher of the two.

Going Over Penalty Notices

When a party, like ICO, identifies an issue, then they make it a requirement to take action to remedy the situation. If those steps are not taken, then a penalty can be issued. Please note that these penalties are not just given when an incident has already taken place. These fines are issued when identified action is not taken, which may then lead to an incident. Below is a list of violations and the penalties (smallest to biggest) for not taking any action in fixing them.

Type of Violations

Failure to comply with an information notice or being uncooperative during an inspection.

-Penalty: Up to £1 million

Any violation which could cause an incident resulting in a reduction in service.

-Penalty: Up to £3.4 million

Any violation which could cause an incident resulting in the disruption of service violation which could cause an incident resulting in a reduction in service.

-Penalty: Up to £8.5 million

Any violation which could cause an incident resulting in a threat to life or a significant adverse effect on the economy.

-Penalty: Up to £17 million

GDPR Fines Towards Individuals

You read that right, Individuals are not protected by their companies if they are responsible for the violation--should they use a data subject’s information for anything other than which consent has been obtained for. In that situation, with such disregard for data privacy, it’s highly likely that they will be fined for which they are personally liable.

The Right to Compensation

You didn’t think they were done with you yet, did you? Not by a long shot. All that was mentioned earlier, that’s the administrative GDPR fine. The GDPR also gives data subjects the right to seek compensation when an organization’s GDPR breach has caused material or non-material damage.

So What’s The Decision Making Process for GDPR Fines?

To assist the ICO--or their equivalent in other European countries--to come to a decision, they will consider the following aspects of the case:

1. Gravity and Nature

This is where the regulator will be going over what happened, how it took place, and why it happened in the first place. They will then consider the impact, which includes how many people’s personal data was affected and what the implications were. Finally, they will consider the timescale to reach a resolution.

2. Intention

This will weigh whether the issue is a matter of negligence or whether it was a deliberate intent to disregard the requirements of the GDPR (This is where the individual that committed the violation will be held accountable).

3. Mitigation

An assessment is then made of whether the firm took any action to reduce the damage suffered by those whose data was affected once the issue was identified. Obviously them doing nothing is bad news for them and those that work for them.

4. Precautionary Measures

This is an assessment of the company’s preparation, both technical and organizational, to ensure that they would be GDPR compliant. In other words did they dot their I’s and cross their T’s like they should have in regard to being GDPR compliant to the best of their ability.

5. History

This requires consideration of any historical non-compliance regarding the Data Protection Directive and whether there was GDPR compliance with previous corrective actions. More past violations means heavier fines. Remember they are going to hit your company hard and fine you the maximum penalty. That’s why it’s more important than ever for small startups and companies to be compliant and not leave it to chance.

6. Cooperation

Assessment of whether the company cooperated with the authorities when the infringement was identified.

7. Data Category

Consideration of the type of personal data that was affected by the infringement. Example being one’s email got exposed or one’s social security number.

8. Notification

Did the firm or their designated third party report the GDPR infringement to the appropriate authorities? Remember, that you have a month to report the violation/breach, so don’t try to hide it and report it as soon as you are made aware of it.

9. Certification

Assessment of whether the approved codes of conduct were followed or if the company had successfully undertaken certification. Meaning the employees got their HIPAA training, the company took their risk assessment and they have their policies and procedures in place.

10. Aggravating/Mitigating factors

Consideration of other issues that came about due to the case, which may include whether there was any financial loss or gains as a result of the infringement. In other words did the company and/or individual make some money on the infringement and/or did the people(data subject), whose data got exposed or abused, lose money.

What’s the Takeaway From This?

With organizations the size of Google receiving fines for violation of GDPR it’s no wonder that it can be challenging for smaller businesses to find their way around the regulations. It’s simply just not worth it to not be GDPR wary and be sure you are compliant, because if you do get slapped with a violation, don’t expect it to be a slap on the wrist if even companies like Google can get fined for not being GDPR compliant. Do your due diligence and become GDPR compliant.