Guide to GDPR Penalties

The General Data Protection Regulation (GDPR) is now enforceable in all European Union (EU) states. All businesses, not just those in EU Member States, are affected by it if they employ, hire, trade with, or sell to any EU citizen or company. The penalties for not being GDPR compliant are extremely high.

The biggest concerns about the GDPR are the size of the fines. Businesses will be fined the larger of €20m or 4% of their annual income. Violation of a number of lesser provisions can attract fines of up to €10m or 2% of a company’s annual, whichever is larger.

With GDPR going into effect, there are new responsibilities for business owners. Penalties and fees have been outlined in excruciating detail. Data breaches are particularly feared by many companies. Horror stories such as what occurred recently at Morrison’s have businesses running to beef up their security systems and educate their employees about what to do to avoid such events.

GDPR Fines and Penalties

The main goal of GDPR is to protect the personal data of EU citizens anywhere in the world. Most companies which have an online presence will be concerned by their potential dealings with EU citizens.

Fines and penalties associated with GDPR compliance center around ensuring the rights of data subjects. To this end, penalties are significant. Those being fined will include businesses, Data Controllers, Data Protection Officers and perhaps even Data Processors. Section 79 of the GDPR outlines fines and penalties which may be imposed by GDPR supervisory authorities.

Lesser fines of 2% of annual income or ten million Euros can be levied for such infractions as:

  • Violation of data security obligations
  • Failure to provide privacy-by-default measures to protect data from unauthorized access
  • Violation of privacy impact assessment (PIA)
  • Failure to provide a processing agreement to data subjects
  • Failure to keep a record of processing activities
  • Companies that fail to provide core provisions may be fined twenty million Euros or 4% of their annual income. These core provisions include:
    • Failure to provide basic principles of personal data processing
    • Failure to provide data subject rights such as: right of access; right to be forgotten; right to portability of personal data; right to amend or modify data that is incorrect;
    • Failure to respond to data subject’s request for electronic transfer of personal data to another company.

GDPR is not all-inclusive. Under Section 79(b) EU states must set their own rules and penalties in addition to those established by GDPR.

Setting GDPR Fines

When establishing fines, the supervising authority of the GDPR will consider the appropriateness of the fine in each individual case. Recital 118B states: “In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.

Whether a fine is levied and what kind of penalty is imposed is up to local authorities.  Under the same clause, EU Member States may establish criminal sanctions.

While people are reeling over those €20m and €10m penalties, they need to look at GDPR Article 83. The actual amount of the fine will, in fact, be based on certain factors and mitigation laid out in this section of GDPR.

GDPR Penalty Considerations

While the stated penalties are huge, small and medium-sized companies are also concerned about the effects of the penalties. Bad press can severely damage a company. This has already been seen in such instances as the Facebook breach.

Not only that, Article 58 notes that companies found in noncompliance of GDPR might actually be banned from processing personal data. This would be the death knell for most enterprises.

So what are the odds? Some companies have no plans to become GDPR compliant. They have assessed the cost of having measures in place and are gambling that they won’t be found non-compliant. Or they are considering the cost of fines versus the time and money required to become compliant and have decided they will pay the fines if charged.

Lawyers who have studied the document have stated that the goal of  GDPR is not in fact to levy fines and penalties, in an ideal world it would ensure that the personal data of all EU citizens is protected so that such fines do not need to be issued.

GDPR is intended as a guide, providing advice to companies as to how data should be collected, processed, stored, and erased so data subjects have an assurance of the secure handling of potentially sensitive information. GDPR also sets out to inform and educate company personnel about how to protect the data and how to ensure the rights of data subjects.

The spirit of GDPR is not punitive, although potential penalties are high. The aim is to train businesses about the rights of data subjects and to pressure companies to have in place processes for informing data subjects of their rights, receiving requests from data subjects, processing those requests, and safeguarding personal data.

Those who have studied GDPR regulations say that GDPR power to ensure compliance will be wielded fairly and judiciously. Yes, those fines are heavy but there are other tools to ensure compliance that may prove even more effective. Before fines are levied it is expected that some of those other tools will include: suggestions for becoming compliant, warnings, and citations.

Failure to Report a Data Breach under the GDPR

GDPR defines a data breach as: a security flaw leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Under GDPR regulations all breaches must be reported by the company to the GDPR supervising authority within seventy-two hours. Unless the company can prove mitigating circumstances, failure to report promptly carries a fine. The risk of non-reporting is not just monetary. A company can be bankrupted by bad press, loss of confidence of its employees, clients, and the general public. If the breach and the way the company mishandled it is serious enough the business could lose its right to process data. This would effectively cripple any company.

Data Controllers are usually tasked with filling out the proper forms, deciding if a breach requires reporting, and receiving news of a breach from the Data Processors of the company. Each business needs a process for handling breaches just as it needs a process for informing data subjects of their rights, processing data subject requests, and safeguarding personal data.

If procedures are in place and clients and employees are clearly informed of their data rights, then the company will be deemed in compliance. Should a glitch occur, as long as the procedures are there, staff follow these procedures, and GDPR officials are informed then the company will be seen as practicing due diligence.

GDPR Failure to Comply

As in recent cases, failure to comply may not be a business-wide issue. In the Morrisons company case, an employee deliberately leaked data. The company was liable, as it will be in GDPR cases, because it is the business’ responsibility to put plans in place, educate employees and supervise the safe handling of personal data.

Human error, however innocent, is often the cause of breach. This is the number one area of data leaks. However, if employees and the company acted responsibly in setting up and following safeguard measures and in reporting breeches, the company and the careless employee will not be found non-compliant.

Data breeches may be blamed on an individual and that employee but not the company fined. To date, GDPR is too young a document to speculate on how infractions will be dealt with. Suffice to say that GDPR authorities have assured businesses that each case will be investigated individually.

How Can Your Company Prepare for GDPR?

Actions to inform data subjects of their rights have been clearly outlined under GDPR. Methods of processing and security measures have been discussed. Each company should by now have a Data Controller who will supervise collection, storage, safety and use of personal data. The Data Controller should have a clear policy for receiving data subject  requests and processing those requests. Employees, especially Data Processors should know the procedures for reporting data breaches.

  • Your company should have in place a procedure for data breach responses and a register of data breaches.
  • The business should have looked at security and decided whether additional measures need to be instituted.
  • Staff should know the new rules for GDPR compliance and their individual responsibilities.

Yes, new rules and penalties are scary. All change is. Fear of the unknown is very real. However, the thing to remember about GDPR compliance is that measures need to be in place. Employees need to be knowledgeable about what needs to be done. If processes are in place and followed, there is little reason to fear GDPR fines and penalties.