GDPR fines and penalties explained

One of the larger takeaways from the upcoming GDPR is the new fines and penalties structure.

Compared to previous legislation, the new fines and penalties are substantially greater, and a company found to be non-compliant could face a penalty of four per cent annual turnover, or €20-million, whichever is greater.

These are of course the upper limits, and supervisory authorities and enforcement bodies have the scope and option to impose lesser fines (appropriate to the gravity of the situation), or take alternative actions such as:

• Issue warnings to the company (most likely publicised).
• Issue reprimands (most likely publicised).
• Issue orders for compliance with data subject requests (portability, erasure, transparency).
• Make the data subject aware of the data breach and its origination.

Article 83 of the new GDPR regulations explains the two tiers of fines:

Tier 1: Up to €10-million, or 2 per cent of global annual turnover, whichever is higher.
Tier 2: Up to €20-million, or 4 per cent of global annual turnover, whichever is higher.

Guidance dictates that fines should meet three criteria, they need to be: effective, proportionate, and dissuasive.

This of course opens the door to early cases of non-compliance being used as an example to the wider community that non-compliance will not be tolerated.

When establishing the correct course of action following a case of non-compliance, the ICO (the UK’s regulatory and governing body), will determine the nature of the non-compliance, it’s gravity, duration, and the infringement itself.

The type of personal data that has been affected may also be a contributing (or mitigating) factor.

It’s likely that non-compliance surrounding the obligations of the data processor/data controller and other processes may incur the lesser tier of fines, where data breaches that affect the rights of the data subjects are more likely to receive a higher fine.

Good behaviour can mitigate

The behaviour of the organisation affected may also be a factor taken into consideration, such as having a proactive, established process and audit trail surrounding data protection and cyber security.

This means organisations have the ability to influence the harshness of fines through proactive action, such as promoting an internal data protection culture, enforcing new internal policies to protect sensitive data.

Reducing the likelihood of higher tier fines

While a recent survey found that only 15 per cent of organisations expected to be wholly GDPR compliant come May 25th, a larger number are adopting a defensible position.

By adopting a defensible position and showing that you’re actively working towards compliance by inputting and sticking to as many good practices as you can, you will definitely look more favourable than a comparable who isn’t proactive.

This also means prioritising compliance efforts to reduce risk in potentially higher risk areas (such as online) sooner rather than later.