March 19, 2020
The EU’s General Data Protection Regulation (GDPR) is novel not just because of the sweeping nature of the regulation. It’s also one of the first privacy regulations to demand compliance from organizations because the regulation ensures that non-compliance is very, very expensive.
Under the GDPR, national authorities have the ability to levy financial penalties for GDPR infringements. These fines work in addition to or instead of other corrective powers. The largest fines are up to 20 million euros or 4% of global turnover for the most severe violations. However, even less severe infringements are expensive.
Although GDPR compliance is complicated and often costly, it rarely costs more than GDPR penalties. Keep reading to learn more about how GDPR fines work and whether you’re at risk of facing a significant penalty.
What Are the Penalties for GDPR Violations?
The GDPR grants national authorities the power to apply fines of up to 20 million euros or 4% of the previous financial year’s global turnover (whichever is greater) to the worst violations.
Even among so-called lesser violations, the penalties can still be very high and reach 10 million euros or 2% of global turnover (whichever is greater).
This is a huge amount of money regardless of the size of the organization.
How Do National Authorities Assess GDPR Fines?
The figures above are ceilings or caps that represent the maximum fines. National authorities of the EU’s member states are allowed to assess fines up to those ceilings and can use their discretion when setting the appropriate fines.
So far, there have been fairly few seven-figure fines imposed by the authorities. In fact, some fines are even smaller than the scariest reports suggest. For example, Spain issued a fine of 1,500 euros in February 2020 for a violation of Article 13.
In March 2020, the Netherlands fined the Royal Dutch Lawn Tennis Association 525,000 euros for selling the personal data of its members to sponsors without consent from data subjects.
Another fine in January 2020 in Austria saw the state fine a takeaway for placing a CCTV camera in an area that covered a nearby gas station without producing the appropriate privacy notice. The takeaway was fined 1,500 euros.
To gain an understanding of what kind of fines national authorities are assessing, it’s helpful to review the Enforcement Tracker website (run by the law firm CMS), which contains a list of the penalties published so far by data protection supervisory authorities. The list isn’t complete because not all fines become public record. However, it does help provide insight into the decision-making process.
What are the Biggest GDPR Fines So Far?
The examples above show that businesses of any size can face a GDPR violation. After all, it’s up to the national data protection authority to identify and investigate potential infringements, which means the authority is more nimble than the European Commission or another pan-EU body.
Even still, it’s important not to confuse the prevalence of smaller fines with the potential for devastating penalties. The potential for financial ruin grows with the size of the company, and regulators haven’t been shy about adding huge fines for violations.
So far, the biggest GDPR fine is the one given to British Airways (BA). BA faced a 204.6 million euro fine as a direct result of its 2018 data breach. The breach impacted over 500,000 customers, and the UK’s Information Commissioner’s Office (ICO) determined that it was the product of “poor security arrangements,” which is why the final bill was so steep.
Rounding out the top five largest fines are:
- Marriott International – 110.3 million euro
- Alphabet Inc (Google) – 50 million euro
- Austrian Post – 18.5 million euro
- Deutsche Wohnen SE – 14.5 million euro
Notice that these companies collect huge amounts of European personal data. It also shows that regulators aren’t afraid of going after big organisations, even if those organisations are important bodies in their own states.
Are Fines Always Required?
Will every violation be hit with a fine? No, not all GDPR infringements warrant a financial penalty. Instead, a data protection authority might choose to:
- Issue a warning
- Impose a ban on data processing (temporary or permanent)
- Demand the erasure or data
- Suspend data transfers to third countries
Whether or not the action comes with a fine might also be the product of:
- The type of violation
- The severity of the violation
- Mitigation measures
- Preventive measures
- Data type
- Previous infringements
However, it is always up to the discretion of the data protection authority.
How to Avoid GDPR Fines and Penalties
Avoiding GDPR fines requires each company to (1) understand whether they fall under the umbrella of the regulation and (2) understand their responsibilities.
If your business processes the data of individuals in Europe, then it is very likely that you must comply with the regulation. Should you choose not to comply (in error or wilfully), you are at risk of fines. The only way to avoid fines is to block your site in the European Union and relinquish any European personal data.
For most companies, losing access to a market of 512.4 million people is simply out of the question. As a result, compliance is the only way forward.
What Should Your Company Do Next?
Compliance is a fairly complicated process because the GDPR touches every aspect of data processing. It begins before you collect data and carries through to the erasure of it.
While the GDPR isn’t prescriptive, it does provide seven principles that illuminate the path forward.
The seven data protection principles include:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Data accuracy
- Data storage limits
- Security, integrity, and confidentiality
These principles are highlighted in Article 5 of the GDPR.
What does this mean?
It means that you must collect and process data only if you have a legal basis to do so and if you properly inform individuals about how you will do that. The principles also stipulate that you must avoid collecting data that you don’t need or use. It’s also important to ensure that any data that you store is accurate and that you set limits on the amount of time you keep data.
These are all policy endeavours, but there is some investment involved, too.
Security practices are critical when avoiding GDPR fines. The regulation requires that you report breaches to the relevant data protection authorities once the breach moves beyond a certain threshold. At a minimum, you must have proper security practices, secure storage, and only share data with countries that meet the EU’s security requirements.
Don’t Forget About the Human Element
The human element of the GDPR is almost forgotten with all the concerns regarding security protections and consent mechanisms. But every element of the GDPR is important, so it is important to ensure that your teams include the right team members and that they are educated to a minimum standard.
First, the regulation requires that anyone who works with personal data needs to understand their role in privacy and protection. Again, the GDPR doesn’t provide specific requirements, so it’s up to each organisation to ensure they meet the requirements. Training can occur through off-the-shelf training courses or through a custom culture change.
But your organisation is not GDPR compliant until the training occurs (and is documented).
The GDPR also requires the nomination of several new positions. Two of these are the Data Protection Officer (DPO) and, for companies based outside of Europe, the EU GDPR Representative. These are two distinct positions, and not all companies will need to nominate both.
However, failing to nominate and share the details of your DPO or EU representative could leave you liable to facing fines. So, it is important to understand your obligations early.
If you need a DPO or EU GDPR representative and you don’t have one, then you have violated the GDPR and could face fines.
Compliance Costs Less than GDPR Penalties
The GDPR impacts almost any organisation that collects and processes the data of individuals in Europe. It aims to ensure that companies act with transparency and are held accountable.
National data protection authorities have the option to levy fines against those who both willfully and accidentally violate the GDPR. These fines can reach the nine-figures among large businesses, and authorities continue to demonstrate that they are not afraid to dole out staggering fines.
If your organisation falls under the umbrella of the GDPR, then you have two choices: comply or ensure that you don’t collect the data of individuals in Europe. Because whether you are a global technology company or a small start-up, the GDPR may apply to you.
Do you have an obligation to comply with the GDPR? Take our free assessment to see whether you need an EU Representative.