Netwrix Auditor – Data Discovery & Classification Edition is out! Learn More

General Data Protection Regulation (GDPR) Penalties: What Should You Expect?

The General Data Protection Regulation (GDPR) is a global standard that gives data protection authorities more enforcement power than they had under the previous Data Protection Directive 95/46/EC (DPD), as well as the power to levy more substantial fines. While DPD did not specify the exact amount of administrative fines for compliance violations, the maximum fines for violations of the GDPR can reach €20 million or 4% of the organization’s global annual turnover from the preceding financial year. These penalties are substantially higher than those for any other current standard (e.g., HIPAA, GLBA or SOX).

Although the GPDR hasn’t come into effect yet, organizations already face problems due to their inability to demonstrate compliance with the standard

Although the GPDR hasn’t come into effect yet, organizations already face problems due to their inability to demonstrate compliance with the standard. Recent examples include Flybe and Honda, which were fined by Information Commissioner’s Office for breaking the rules regarding marketing emails. Both companies tried to comply with the GDPR and get customers’ consent in advance by sending emails to ask whether people want to receive marketing information from them, but in doing so, they violated the UK’s Privacy and Electronic Communication Regulations (PECR), which forbids such emails without the right consent because they are considered to be marketing materials.

In this blog post, Netwrix provides answers to the most common questions about GDPR penalties to help you get more familiar with how fines will be determined and which requirements impose the biggest penalties.

How are fines determined?

According to Article 83 of the GDPR, Supervisory Authorities (SAs) or any independent public authorities responsible for protecting rights of natural persons have the right to issue fines to any organization that fails to prove its GDPR compliance. These fines have to be “effective, proportionate and dissuasive.” There are several criteria that help SAs determine whether an organization has to pay a fine or not, and how big this fine must be:

  • Nature of infringement — The number of people affected and the damage they suffered; the nature, gravity and duration of the infringement; and the purpose of data processing
  • Intention — Whether the infringement was intentional or negligent
  • Mitigation — What actions were taken by the data controller or processor to mitigate damage to data subjects
  • Preventative measures — The degree of responsibility by the controller and processor, as well as what technical and organizational measures the organization took to prevent non-compliance
  • History — Any relevant prior infringements by the controller or processor
  • Cooperation — How willing the company has been to cooperate with the SA to remedy the infringement and mitigate its potential effects
  • Data type What categories of personal data the infringement affects
  • Notification — Whether controller or processor reported the infringement proactively
  • Certification Whether the firm had earned certifications or adhered to approved codes of conduct
  • Other Other aggravating or mitigating factors applicable to the circumstances of the case, e.g., financial benefits gained or losses avoided

What are the GDPR’s fine levels?

Article 83 also describes two levels of fines that organizations can face if they fail to prove compliance with the GDPR. The levels are based primarily on which requirement was violated.

Level One. At this level, organizations face penalties of up to 10 million euros, or 2% of their global annual turnover for the preceding financial year. Level one applies to violations of the following requirements:

  • Obligations of the Controller and the Processor — One of the largest sections of the GDPR is devoted to the responsibilities of data controllers and processors for proper data processing and protection. This includes data protection by design and by default (Article 25), rules related to the security of processing (Article 32), and timely notification of a data breach to the SAs (Article 33) and data subjects (Article 34). Also, both controllers and processors are required to carry out data protection impact assessments (Article 35) to identify and mitigate security risks related to data processing.
  • Data breach notification (Articles 33-34) — Article 33 of the GDPR requires data controllers to notify supervisory authorities in case of a personal data breach, without undue delay and within 72 hours after having become aware of the personal data breach, unless the breach is unlikely to put the rights and freedoms of natural persons at risk. Article 34 covers the notification of personal data breaches to data subjects and specifies the details that organizations have to provide (including the nature of the breach, a contact point and the likely consequences).
  • Obligations of the monitoring body (Article 41) — Article 41 covers monitoring of approved codes of conduct that should be carried out by a body that has relevant expertise and that is accredited for that purpose by a competent supervisory authority.
  • Obligations of the certification body (Articles 42 and 43) — According to Article 42, member states and supervisory authorities shall encourage the establishment of data protection certification mechanisms to help data controllers and processors demonstrate compliance with the GDPR. Certifications can be issued by either an accredited certification body or the European Data Protection Board. Article 43 says that accreditation is available to a certification body only under certain circumstances, e.g., if the body demonstrates certain independence and expertise, or establishes procedures to handle complaints about infringements.

Level Two. At this higher tier, fines are assessed for more serious infringements by controllers and processors, such as violation of a data subject’s rights or conditions of consent. Fines at this level are 20 million euros or 4% of the company’s global annual turnover for the preceding financial year. Level two includes violations of the following provisions of the GDPR:

  • Basic principles for processing of data — This includes general rules for data processing (Article 5), lawfulness of processing (Article 6), conditions for consent (Article 7 and 8) and the processing of special categories of sensitive data (Articles 9–11).
  • Data subjects’ rights (Articles 12–22) — The articles define multiple rights of data subjects that significantly affect the way organizations can store and process personal data. Examples include the right to confirm whether personal data is being processed (Article 15), the right to rectify inaccurate personal data (Article 16), the right to be forgotten (Article 17), the right to restriction of processing (Article 18), the right to easily transmit data to other controllers (Article 20) and the right to object to data processing activities (Article 21).
  • Transfers of personal data (Articles 44–50) — Chapter 5 governs data transfers to third countries or international organizations. This includes the general principles of data transfers (Article 44), transfers or disclosures not authorized by EU law (Article 48), and rules about international cooperation for the protection of personal data (Article 50).
  • Orders from supervisory authorities — Finally, organizations can face level two fines if they fail to comply with an order by a Supervisory Authority to limit or suspend the processing of data (Article 58).

View infographic (click on the image to open a high resolution version in a new tab)

Is there any additional compensation for data subjects?

Similar to the DPD, the GDPR allows data subjects to seek monetary damages in court from controllers and processors who violate their rights. This includes cases when organizations are liable for a data breach, violate the processor-specific provisions of the GDPR, or act outside a controller’s lawful instruction (Articles 79 and 82).

Summary

Apart from imposing fines, supervisory authorities have other corrective powers in case of non-compliance, which include issuing warnings and reprimands, and — in extreme cases — banning the organization from processing personal data (Article 58). Therefore, organizations need to ensure that they have effective policies and procedures in place to ensure explicit consent, identify and report breaches, and comply with other GDPR provisions. It’s wise to start by paying attention to the areas that impose the highest penalties, by following basic rules for proper data processing and making sure that they do not violate the rights of data subjects.