Draft Guidelines On Administrative Fines Under GDPR

Once the General Data Protection Regulation (GDPR) comes into play, in May 2018, it will be possible for any organisation that does not comply to be fined as much as 4% of annual turnover, or £20 million, whichever is the higher amount. When you compare those figures with the current maximum fine of £500,000, for data protection breaches in the UK, you can see how much of an impact the GDPR will have.

Current Guidance on Administrative Fines for Non-Compliance with GDPR

Article 29 Working Party consists of members from every data protection regulatory body in the EU. It is the advisory body for data protection issues across the EU and it has laid out criteria concerning what needs to be considered by a supervisory authority (SA) when deciding whether to impose a fine on an organisation or not. These considerations include:

  • How serious was the breach?
  • How much data was involved?
  • Was the breach intentional?
  • What was the result of the breach?
  • Did the organisation cooperate with the SA?

Every SA has the freedom to make decisions about fines, but they are expected to be consistent. The Article 29 Working Party has yet to deliver set guidelines on how to calculate the amount of the fine.

Fines Are Not The Only Option

The SA can make the decision to use other options to punish non-compliance with the GDPR. It can issue a warning, or impose any of a variety of orders. It’s up to the SA what steps it takes against an organisation, but consistency is required, and it’s expected that SA’s will liaise with each other, to ensure that fines, and other punishment measures, are imposed fairly.

Related GDRP Articles

GDPR Compliance Checklist


GDPR for US Companies

GDPR Summary

GDPR Data Backup Requirements

About Patrick Kennedy 619 Articles
Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: https://www.linkedin.com/in/pkkennedy/