How GDPR administrative fines and sanctions will be applied
Fines under the General Data Protection Regulation (GDPR). What you need to know about GDPR fines, the guidelines on the application of GDPR administrative fines, ways to protect against GDPR fines, penalties, sanctions and the sanction mechanism under the GDPR.
If there is one thing that people know about the GDPR it’s that GDPR fines (administrative fines) can go up to 20 million Euros or 4 percent of annual global (note global!) turnover, whichever of both is highest.
The maximum fines of course don’t mean that by definition this highest level of administrative fines is applied. The exact fines depend on numerous factors such as how severe non-compliance and potential personal data breaches are, the measures that have been taken to be GDPR compliant (with GDPR awareness a first one), the degree in which an organization fails to set up the essential mechanisms to prevent personal data breaches or deliver upon the requests of data subjects in the scope of the several data subject rights they have (right of access, right to data portability, right to erasure etc.), the willingness to respond to such requests, the degree in which privacy by design is respected, additional measures and rights when consent is the chosen legal ground for lawful processing and far more.
Two levels of GDPR fines – understanding them
On top of the mentioned maximum GDPR fines a second level of fines (10 million euros or two percent of global annual turnover) is foreseen, which means that the GDPR differentiates. The GDPR text itself sums up these two levels of fines and factors influencing them in Chapter 8 (remedies, liabilities and penalties, and thus those famous fines too) of the GDPR text.
In Article 83(1) the general conditions to impose administrative fines are described. Administrative fines need to be looked upon per individual case and be ‘effective, proportionate and dissuasive’.
In Article 83(2), criteria are mentioned and further in the Article the text looks at the two groups of fines. Among the criteria which the GDPR mentions in its Article 83 are the nature, gravity and duration of the infringement, the scope and purpose of the personal data processing, the number of data subjects and the degree of damage concerned by an infringement, the level of cooperation with the data protection authority and far more.
By splitting up the GDPR fines in two groups, the GDPR by definition indicates factors regarding the different impact and importance of several potential breached obligations. If you read Article 83 but also the details it mentions for both groups of fines you’ll for instance see that the unlawful processing of specific categories of personal data and conditions for consent are fined higher than, for example, breaches with regards to aspects such as privacy impact assessments.
However, all in all it does remain hard to understand for many and in the end you simply don’t know what GDPR fines will be applied. So, is there a slightly better way to know how GDPR fines will be calculated, how you can prevent GDPR fines and what your options are?
Avoiding GDPR fines: the use of a cyber insurance and the need to move towards compliance
The most simple and obvious answer to the question how to avoid GDPR fines is obviously making sure that you are as GDPR compliant as possible, can demonstrate you have done all you could in a prioritized way, taking all aspects of GDPR, risks from the data subject perspective and the different types of personal data and data flows and processing in your organization and its ecosystem of partners into account, along with the major rules of the GDPR such as consent and other principles of the lawfulness of processing personal data.
Yet, 100% GDPR compliance is a myth for reasons we, among others explained in our article on the business strategy aspects of GDPR and information management. That’s why GDPR awareness isn’t just about staff awareness but also means looking thoroughly at all the Articles in the GDPR, which in turn point to other ones you need to know.
A second question that arises is how you can pay potential GDPR fines? After all, if you never are fully sure then what happens if you are fined anyway?
This question is often asked and in some companies, who feel they won’t be ready, find the interpretation of GDPR too hard, feel uncomfortable or don’t think they will be financially able to pay potential GDPR fines is answered by taking a cyber insurance. However, in many cases a cyber insurance will only cover the costs of a breach and of the various aspects of solving and looking into it, as well as the communications around it.