The European Union’s General Data Protection Regulation (GDPR) has been in effect since May 2018, and still, many businesses need help to keep up with the regulation’s requirements. One of the most significant risks of non-compliance is the potential for hefty GDPR fines. The fines can be staggering and apply to all small or large businesses. In this article, we’ll delve into everything you need to know about GDPR fines, including how much they can be, how they are assessed, and which infringements can incur penalties.
Understanding the Administrative Fine Structure
Under Article 83 of the GDPR, administrative fines are levied on un GDPR-compliant businesses. The fines are flexible and scale with the firm’s size, and they are designed to make non-compliance a costly mistake. The GDPR explicitly states that some violations are more severe than others, and the fines reflect this.
Less Severe Infringements
Infringements considered less severe under the GDPR could result in a fine of up to €10 million or two per cent of the firm’s global annual revenue from the preceding financial year, whichever is higher. These infringements include violations of the articles governing controllers and processors, certification bodies, and monitoring bodies.
More Severe Infringements
Infringements considered more severe could result in a fine of up to €20 million or four per cent of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher. These infringements include violations of the articles governing the basic principles for processing, conditions for consent, data subjects’ rights, transfer of data to an international organisation or a recipient in a third country, and member state laws adopted under Chapter IX.
How GDPR Fines Are Assessed
Under the GDPR, fines are administered by the data protection regulator in each EU country. The regulator will determine whether an infringement has occurred and the severity of the penalty. To determine the fine amount, the regulator will consider ten criteria, including the gravity and nature of the infringement, intention, mitigation, precautionary measures taken, history, cooperation, data category, notification, certification, and aggravating/mitigating factors.
It’s important to note that if regulators determine an organisation has multiple GDPR violations, it will only be penalised for the most severe one, provided all the infringements are part of the same processing operation.
Data Controller’s Responsibility
Many businesses use third-party services to handle their data, but the hiring organisation (i.e. the controller) needs to ensure that personal data is processed per the GDPR. Unless the controller can show it was “not in any way responsible for the event giving rise to the damage,” it will be completely liable for any infringement caused by a non-compliant third party. Therefore, it’s crucial to carefully vet any third-party services you use to ensure they have a good track record for security.
Ensuring GDPR Compliance
The GDPR’s stiff fines are designed to ensure that best practices for data security are too costly not to adopt. While it remains to be seen how different EU member states will apply fines, these fines loom for organisations failing to make strides to ensure GDPR compliance. Therefore, it’s essential to take GDPR compliance seriously and make the necessary changes to avoid costly fines. By adhering to the regulation’s requirements, you’ll protect your business from financial liability and gain your customer’s trust in your commitment to data protection.
Briefed is a team of barristers that provide legal advice to businesses to ensure compliance with existing regulations and laws. Our barristers are highly experienced in helping companies stay compliant and achieve their business objectives. We provide guidance and support in all areas of regulation, including GDPR legal compliance. Contact us to find out how we can help!