Beginning from May 25th, 2018, companies which operate in the European Union have to adhere to the GDPR. Coursedot has a special quick and easy guide to provide the basics of GDPR. This is the sixth part of the series and we get into the GDPR fines. The previous part is here.
Now let’s get on with the
GDPR fines and What Do They Mean
The GDPR introduces hefty fines for all companies which violate the law. The administrative fines can go up to 20 million Euros or 4% of the annual global turnover for the given company, whichever of both is higher. The exact amount of the fine will depend on several factors and will heavily depend on each separate case.
For example, the fine will depend on how severe the non-compliance is, the degree in which the company fails to set up the mechanisms to prevent breaches and even the willingness to respond to requests. And while the amount of the
fines is one of the few things which are widely known about the GDPR, what isn’t that known is that there are actually two levels of fines. The aforementioned 20 million Euro of 4% of the global annual turnover is only the first level of GDPR defined fines. The second level has another layer of fines up to 10 million Euro or 2% of the global annual turnover. They are defined in Chapter 8 of the GDPR.
The Second Tier Fines
The second level depends on the degree, gravity and duration of the infringement. It also involves the scope and purpose of the data processing, the number of data subjects and more. This means that the bigger the company is and/or the bigger and more severe the breach is, this second level of fines can come into effect.
But, as with many other aspects of the GDPR, things get complicated as you go deeper. The conditions upon which a fine may be determined are so many and so broad, it’s almost guaranteed that 100% compliance with GDPR would be close to impossible. As a result, many companies are going the other way – they are focusing on mitigating their risk exposure rather than ensuring full GDPR compliance. It’s best to try and do both.
But monetary fines are only one part of the penalties under the GDPR. For example, the Data Protection Authority might decide to suspend the data flow to a recipient in a third country or issue a reprimand to a company. Another possibility is enforcing a ban on data processing which can be temporary or permanent. These additional penalties can be combined with a monetary fine, as well.
With that said, companies and organizations should do everything they can to be compliant with the GDPR as much as possible. This includes staff awareness as well. For example, even keeping a piece of paper with a list of email on a desk might be classified as a GDPR violation because it contains personal data and it’s not secured properly i.e. the data is accessible to anyone who passes by that desk.
Those are the GDPR fines on a quick look. It’s important to know about them and realize they are always a possibility unless our organization is working actively on GDPR compliance.
In Part 7 we will take a look at Preparing for the GDPR.