The most widely discussed aspect of the GDPR are the fines and penalties. We explain how organisations can incur penalties for non-compliance and explore their impact.
GDPR Maximum Fines
The GDPR imposes maximum fines of €20 million or 4% of annual worldwide turnover, whichever is higher. This can be applied if an organisation fails to comply with:
- Data protection principles, such as transparency, fairness, accountability, data accuracy and minimisation.
- Individual rights, such as access, rectification, restriction, portability, or erasure.
- Rules surrounding the transfer of data to “third countries”(outside the EEA and without an ‘adequacy’ designation by the EU).
GDPR Standard Maximum Fines
There is a standard maximum fine of €10 million or 2% of annual worldwide turnover, whichever is higher. This can be applied if an organisation fails to fulfil its obligations under the GDPR, such as:
- Gaining proper consent for a child
- Implementing data protection by design and default measures (e.g. pseudonymisation)
- Establishing a designated representative in the EU (for businesses without an establishment in the EEA)
- Processing personal data in breach of contract with the data controller
- Failing to adequately secure personal data
Processing Bans and Other Correctional Powers
Under the GDPR, Data Protection Authorities also have powers to correct existing issues and prevent future non-compliance. These powers include:
- Issuing warnings
- Issuing reprimands
- Ordering an organisation to bring their processing activities into compliance
- Ordering an organisation to communicate a personal data breach to affected individuals
- Imposing a ban on processing data
- Ordering the rectification, restriction or erasure of data
- Ordering the suspension of data flows to a third country or international organisation
Will the maximum fines always be applied?
Data Protection Authorities do have the powers to apply the full fines in cases of non-compliance. However, it is highly unlikely that the maximum penalties will be applied in anything but the most serious of cases.
Instead, Data Protection Authorities are expected to issue fines based on the perceived impact to individuals, the scale of the issue and the organisation’s response to the issue. Fines should be effective, proportionate and dissuasive.
Have any fines been issued under the GDPR yet?
As of December 2018, a small number of fines have been issued by Data Protection Authorities:
- Austria issued a €4,800 fine for illegal video surveillance.
- Portugal issued a €400,000 fine for insufficient data access concept.
- France issued a €250,000 fine for inadequate security measures.
- Germany issued a €20,000 fine for a failure to protect personal data.
- The UK issued a £17 million fine for unlawful data processing.
Why haven’t there been many fines?
Data Protection Authorities need time to investigate cases of organisations who have failed to comply with the GDPR. This allows them to determine whether an infringement has taken place and the appropriate enforcement action – including how much the organisation will be fined.
Whilst the penalties for non-compliance with the GDPR are intended to be an effective deterrent, businesses should focus on getting up to scratch with their compliance strategy and have effective processes in place should an audit or data breach occur.