If you’re reading this, then you are no doubt aware of GDPR - the European Union’s trailblazing law that protects the personal data of its residents.
The mammoth fines handed out to tech giants pop up almost daily in the news and the €746 million thrown at Amazon is big enough for anyone to sit up and take notice.
But what does this mean for you?
This article will break down the system of financial penalties established by GDPR, and also look at how exactly these fines are determined.
The law has created a two-tier system for GDPR fines, based on the severity of non-compliance:
Now, that’s a lot of money however you spin it, and these facts alone are enough to worry any business.
However, these are worst-case scenarios and the smallest fine dished out so far has been a somewhat more paltry €28 (Privacy Affairs).
Let’s investigate the differences.
This is the lower tier for less severe infringements and is handed out to companies that violate GDPR in the following areas:
Type of organization
Data controllers and processors
Articles 8, 11, 25-39, 42, and 43
Companies must respect the rules governing data protection, lawful justification and so forth.
Articles 42 and 43
Accredited bodies must be transparent and unbiased.
Monitoring bodies for complaints and infringements
These organizations must follow established procedures, and be transparent and unbiased.
This is the higher tier for more serious infringements, and is handed out to companies that violate GDPR in the following areas:
Basic principles for data processing
Articles 5, 6 and 9
This must be done in a lawful, fair, and transparent manner. Data can only be processed for specific purposes and must be stored securely, accurately and be up-to-date.
Conditions for consent
Companies need to have the documentation to prove when they have acquired consent as the justification for data processing activities.
Data subject rights
Individuals need to know what data a company is storing, and what they are doing with it. They also have the right to demand this information, as well as to correct, erase, or transfer it on request.
Data transfer to an international company or third country.
Before this is done, the EC must decide that the destination company/country meets GDPR data protection standards. The data transfers must also be done securely.
Given that the size of fines handed out to companies varies so much, it would be easy to think that data protection authorities (DPA) are pulling random numbers out of a hat.
In reality, DPA’s use Article 83 of the GDPR to determine what the fine should be. The factors outlined here include:
The purpose of these financial sanctions is to discourage companies from ignoring GDPR requirements for personal data - not to force them into liquidation.
Payment of these fines is a legal requirement however, and company executives that don’t cough up risk imprisonment.
Having said that, GDPR sees fines as a last resort, and is working to provide better guidelines to help companies meet their data protection responsibilities.
And before giving out fines, GDPR will issue warnings, reprimands, and corrective orders. By adhering to these demands, you should be able to avoid the worst of these sanctions.
Other than GDPR fines, a strike from your data protection authority can have other consequences.
Firstly, companies will lose a lot of trust from customers. Nearly 70% of all global internet users are now proactively looking for ways to protect their online privacy (Statista).
Secondly, it stands to reason that companies that fall foul of GDPR enforcement work will lose business, with consequences for long-term prosperity.
And finally, companies risk being hit by a permanent ban on processing the personal data of EU residents. Given the importance of the internet in the modern world, this could well kill them off completely.
Data protection authorities are becoming more sophisticated and they are dishing out more fines than ever before. However, they are overworked and enforcement is still unable to keep up with the number of new cases for the moment.
The surest way to avoid fines is to comply with GDPR.
Given the paucity of official guidance out there, we’ve created a guide which can help companies meet GDPR requirements.
Why not have a look and set the wheels in motion?
Gain World-Class Insights & Offer Innovative Privacy & Security