What are the Fines and Penalties under the GDPR?
Under Article 83 of the GDPR, the EU enforces laws on any company that handles data from EU citizens. Those entities failing to comply with GDPR standards will face stiff fines.
GDPR fines come in two flavors – Tier 1 and Tier 2:
- Tier 1 – up to €10 million or 2% of annual global turnover of the previous year, whichever is higher.
- Tier 2 – up to €20 million or 4% of annual turnover of the previous year, whichever is higher.
- Individuals can also face fines for GDPR violations if they use another individual’s personal data for anything other than personal purposes.
It is anticipated that breaches of controller or processor obligations will be fined within Tier 1 and breaches of data subjects’ rights and freedoms will result in the higher fine outlined in Tier 2.
Authorities may take other actions outside of Tier 1 and 2 penalities, including:
- Issuing warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction or erasure of data and
- Suspending data transfers to third countries.
Why are the fines so steep? Well, to give regulators the authority to push for full compliance with the law, potentially negotiating penalties, and to set precedent.
How are the Fines Actually Calculated?
Article 83 outlines how the fines will be calculated prior to assessing the penalties to violators. The 10 major criteria that authorities use to determine fines includes:
- Did the offender meet the standards for data protection certifications?
- Did the offender cooperate with authorities investigating the data breach?
- What type of personal data was accessed due to the breach?
- Did the offender have a history of allowing such data breaches?
- Was the data breach due to the offender’s negligence or intentional action?
- What actions did the offender take to mitigate the damage?
- What was the nature and extent of the damage caused by the data breach?
- When did the offender notify the regulatory authorities and the affected parties about the data breach?
- What preventative measures did the offender take prior to the data breach?
- What other mitigating circumstances were involved in the data breach?
How to Lower Chances of Receiving a Tier 2 Fine
- Implementing adequate procedures for identifying and reporting data breaches
- Implementing adequate procedures for data protection
- Prioritizing compliance with the law and ensuring the best systems are in place to avoid any breaches