GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses. In this article we’ll talk about how much is the GDPR fine and how regulators determine the figure.

The European Union’s General Data Protection Regulation (GDPR) was designed to apply to all types of businesses, from multi-nationals down to micro-enterprises. The fines imposed by the GDPR under Article 83 are flexible and scale with the firm. Any organization that is not GDPR compliant, regardless of its size, faces a significant liability.

Below we will look at the administrative fine structure, how fines are assessed, and which infringements can incur penalties. This is not a guide on how to avoid GDPR fines (you can find our GDPR compliance checklist here). Rather it’s a brief primer on the financial exposure organizations face for non-compliance.

Two tiers of GDPR fines

The GDPR states explicitly that some violations are more severe than others.

The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. They include any violation of the articles governing:

  • Controllers and processors (Articles 8, 11, 25-39, 42, and 43) — Organizations that collect and control data (controllers) and those that are contracted to process data (processors) must adhere to rules governing data protection, lawful basis for processing, and more. As an organization, these are the articles you need to read and adhere to.
  • Certification bodies (Articles 42 and 43) — Accredited bodies charged with certifying organizations must execute their evaluations and assessments without bias and via a transparent process.
  • Monitoring bodies (Article 41) — Bodies that have been designated to have the appropriate level of expertise must demonstrate independence and follow established procedure in handling complaints or reported infringements in an impartial and transparent manner.

The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These include any violations of the articles governing:

  • The basic principles for processing (Articles 5, 6 and 9) — Data processing must be done in a lawful, fair, and transparent manner. It has to be collected and processed for a specific purpose, be kept accurate and up to date, and processed in a manner that ensures its security. Organizations are only allowed to process data if they meet one of the six lawful bases listed in Article 6. In addition, certain types of personal data, including racial origin, political opinions, religious beliefs, trade union membership, sexual orientation, and health or biometric data are prohibited except under specific circumstances.
  • The conditions for consent (Article 7) — When an organization’s data processing is justified based on the person’s consent, that organization needs to have the documentation to prove it.
  • The data subjects’ rights (Articles 12-22) — Individuals have a right to know what data an organization is collecting and what they are doing with it. They also have a right to obtain a copy of the data collected, to have this data corrected, and in certain cases, the right to have this data be erased. People also have a right to transfer their data to another organization.
  • The transfer of data to an international organization or a recipient in a third country (Articles 44-49) — Before an organization transfers any personal data to a third country or international organization, the European Commission must decide that that country or organization ensures an adequate level of protection. The transfers themselves must be safeguarded.

They also include:

  • Any violation of member state laws adopted under Chapter IXChapter IX grants EU member states the ability to pass additional data protection laws as long as they are in accordance with the GDPR. Any violation of these national laws also faces GDPR administrative fines.
  • Non-compliance with an order by a supervisory authority — If an organization fails to comply with an order from the monitoring bodies of the GDPR, they have set themselves up to face a huge fine, regardless of what the original infringement was.

And these are just the administrative fines. Article 82 gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of a GDPR infringement.

How much is a GDPR fine?

Under the GDPR, fines are administered by the data protection regulator in each EU country. That authority will determine whether an infringement has occurred and the severity of the penalty. They will use the following 10 criteria to determine whether a fine will be assessed and in what amount:

  • Gravity and nature — The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
  • Intention — Whether the infringement was intentional or the result of negligence.
  • Mitigation — Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.
  • Precautionary measures — The amount of technical and organizational preparation the firm had previously implemented to be in compliance with the GDPR.
  • History — Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
  • Cooperation — Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.
  • Data category — What type of personal data the infringement affects.
  • Notification — Whether the firm, or a designated third party, proactively reported the infringement to the supervisory authority.
  • Certification — Whether the firm followed approved codes of conduct or was previously certified.
  • Aggravating/mitigating factors — Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.

If regulators determine an organization has multiple GDPR violations, it will only be penalized for the most severe one, provided all the infringements are part of the same processing operation.

Data controller’s responsibility

Many companies use third parties, like email or cloud storage services, to handle their data. While this can be helpful in adhering to the GDPR if the third party has a higher technological capacity, it does not absolve the hiring organization (i.e. the controller) from ensuring that personal data is processed in accordance with the GDPR. Unless the controller can clearly demonstrate that it was “not in any way responsible for the event giving rise to the damage,” it will be fully liable for any infringement caused by a non-compliant third party.

For this reason, it’s important to carefully vet any third party services you use to make sure they have a good track record for security.

Conclusion

The GDPR’s stiff fines are aimed at ensuring best practices for data security are too costly not to adopt. While it remains to be seen how fines will be applied by different EU member states, these fines loom for any organization not making strides to ensure GDPR compliance.