GDPR fines are designed to make non-compliance costly for large and small businesses. Let's take a look at how regulators determine the amount of GDPR fines.
Any organization that is not compliant with the European Union’s General Data Protection Regulation ("GDPR") faces liability.
Two tiers of GDPR fines
The GDPR states explicitly that some violations are more severe than others.
The less severe violations can result in a fine of up to the greater of €10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year.
Such violations include any non-compliance with articles governing:
- Controllers and processors (Articles 8, 11, 25-39, 42, and 43) — Organizations collecting and controlling data (controllers) and those contracted to process data (processors) must adhere to rules governing data protection, lawful basis for processing, and more.
- Certification bodies (Articles 42 and 43) — Accredited bodies charged with certifying organizations must execute their evaluations and assessments without bias and via a transparent process.
- Monitoring bodies (Article 41) — Bodies designated to have the appropriate level of expertise must demonstrate independence and follow established procedures in handling complaints or reported violations in an impartial and transparent manner.
The more serious violations run afoul of the very principles of the right to privacy and the right to be forgotten that are central to the GDPR. These types of violations may result in a fine up to the greater of €20 million or 4% of the violating firm’s worldwide annual revenue from the preceding financial year. These violations include any non-compliance with the articles governing:
- The basic principles for processing (Articles 5, 6, and 9) — Data processing must be done in a lawful, fair, and transparent manner. Personal data has to be collected and processed for a specific purpose, the personal data must be kept accurate and up to date, and processed in a manner that ensures its security. Organizations are only allowed to process data if they meet one of the six lawful bases listed in Article 6. Additionally, certain types of personal data, including racial origin, political opinions, religious beliefs, trade union membership, sexual orientation, and health or biometric data are prohibited except under specific circumstances.
- The conditions for consent (Article 7) — When an organization’s data processing is justified based on the person’s consent, the organization needs to have documentation to prove it.
- The data subjects’ rights (Articles 12-22) — Individuals have a right to know what data an organization is collecting and what they are doing with it. They also have a right to obtain a copy of the data collected, to have this data corrected, and in certain cases, the right to have this data be erased. People also have a right to transfer their data to another organization.
- The transfer of data to an international organization or a recipient in a third country (Articles 44-49) — Before an organization transfers any personal data to a third country or international organization, the European Commission must decide that that country or organization ensures adequate protection. The transfers themselves must be safeguarded.
- Any violation of member state laws adopted under Chapter IX — Chapter IX grants EU member states the ability to pass additional data protection laws as long as they are in accordance with the GDPR. Any violation of these national laws also faces GDPR administrative fines.
- Non-compliance with an order by a supervisory authority — If an organization fails to comply with an order from the monitoring bodies of the GDPR, they may face a huge fine, regardless of the nature of the original violation.
And these are just the administrative fines. Article 82 gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of a GDPR infringement.
How much is a GDPR fine?
Under the GDPR, fines are administered by the data protection regulator in each EU country. That authority will determine whether a violation has occurred and the severity of the penalty. The authority will use the following 10 criteria to determine whether a fine will be assessed and, if so, in what amount:
- Gravity and nature — The overall nature of the violation. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
- Intention — Whether the violation was intentional or the result of negligence.
- Mitigation — Whether the firm took any actions to mitigate the damage suffered by people affected by the violation.
- Precautionary measures — The amount of technical and organizational preparation the firm had previously implemented to be in compliance with the GDPR.
- History — Any relevant previous violations, including violations under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
- Cooperation — Whether the firm cooperated with the supervisory authority to discover and remedy the violation.
- Data category — What type of personal data the violation implicated.
- Notification — Whether the firm, or a designated third party, proactively reported the violation to the supervisory authority.
- Certification — Whether the firm followed approved codes of conduct or was previously certified.
- Aggravating/mitigating factors — Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.
If regulators determine an organization has multiple GDPR violations, the organizations will only be penalized for the most severe violation, provided all of the violations are part of the same processing operation.
Data controller’s responsibility
Many companies use third parties, like email or cloud storage services, to handle their data. While this can be helpful in adhering to the GDPR if the third party has a higher technological capacity, it does not absolve the hiring organization (i.e., the controller or the processor in turn using a sub-processor) from ensuring that personal data is processed in accordance with the GDPR. Unless the controller or primary processor can clearly demonstrate it was “not in any way responsible for the event giving rise to the damage,” it will be fully liable for any violation caused by a non-compliant third party.
For this reason, it’s important to carefully vet any third party services you use to make sure they have a good track record for security.
Conclusion
The GDPR’s heavy fines are aimed at ensuring best practices for data security are too costly not to adopt. While it remains to be seen how fines will be applied by different EU member states, these fines loom for any organization not fulfilling the requirements for GDPR compliance.
FOR COMPANIES SEEKING U.S. OPPORTUNITIES
Download your free digital copy of "How to Take Your Business to the USA" from www.b2world.com/books. 26 chapters and 177 pages of practical information to make your journey to the USA faster and more effective.
Gary Guttenberg, Attorney, Deal Maker, Negotiator
