What are the GDPR Penalties?

Businesses that are as yet unprepared for the introduction of the General Data Protection Regulation on May 25th may want to know what the GDPR penalties are, how they are enforced and what other consequences may apply due to any failure to comply with the Regulation.

It has been widely reported that businesses which fail to comply with GDPR could face fines of up to €20 million or 4% of their global turnover – whichever is the highest. Unlikely as it is that a fine of that size would be imposed for anything other than an extremely serious violation, the consequences of non-compliance can be significant and go way beyond those imposed by a Data Protection Authority.

With regard to the question “What are the GDPR Penalties?”, this depends on multiple factors such as the nature of the violation, the attempts made by the business to prepare for GDPR and – if data has been breached – the volume and sensitivity of the data, and the implications it will have for the “data subjects” whose personal information has been compromised.

You may have noticed the words in the above section “if data has been breached”. This is because it is not necessary for a business to experience a data breach in order to be found in violation of GDPR. Businesses that fail to comply with the Rights of Individuals, provide a suitable mechanism for individuals to freely and unambiguously give their consent to data processing, or fail to respond to Subject Access Requests within the thirty days allowed will also be in violation of GDPR.

What Are the GDPR Penalties?

When a complaint has been received by a Data Protection Authority (DPA), the normal course of action will be for the DPA to conduct a Data Protection Impact Assessment. This will determine whether or not the business has “respected” the Regulation by preparing for GDPR or “violated” the Regulation by failing to prepare, by acting negligently, or by intentionally following a prohibited course of action.

Depending on the outcome of the Data Protection Impact Assessment, the DPA will either:

  • Take no action if the business has prepared as best as possible for GDPR.
  • Issue a reprimand and force the business to take corrective action.
  • Prohibit further data processing (temporarily or permanently).
  • Suspend data flows to non-approved jurisdictions.
  • Impose a fine up to €20 million/4%.

The extent of an enforcement action can depend on any previous violations of GDPR, the business´s cooperation with DPA, and – if a breach has occurred – the length of time that passed before the breach was reported to the DPA. It is important to note that each member state of the EU has its own variation of GDPR that may include additional clauses to which businesses have to comply.

It is also important to note that DPAs are required to produce a publicly-accessible list of data protection impact assessments and the sanctions subsequently imposed. Consequently, a violation of GDPR could result in a loss of business reputation or – more seriously – alert a cybercriminal to security vulnerabilities in your data protection policies and procedures. For this reason, it would be extremely foolish to ignore the introduction of the General Data Protection Regulation.