Learn what you need to know about GDPR fines, as it is one of the most talked-about aspects of the GDPR. Below is a short explanation of what triggers the GDPR fines and who awards them. This article will also discuss what you can do to mitigate the amount.
Reading time: 2 minutes.
Administrative fines are one of the sanctions if data is mistreated under GDPR. Sanctions are triggered when an organization violates the GDPR. There are higher and lower levels to these fines. Whether a supervisory authority award an organization a high or low fine depends on a variety of factors, namely the severity of the violation and the actions taken by the organization.
The highest possible fines
GDPR fines for lesser infringements may reach up to 10,000,000 EUR or up to 2% of the total worldwide annual turnover, whichever that is highest. Likewise, fines for greater infringements may reach up to 20,000,000 EUR or up to 4% of the total worldwide annual turnover, whichever that is highest.
There are a variety of different reasons that can trigger lower-level fines. For example, the non-performance of a DPIA when needed, not keeping records of processing activities or failing to maintain proper IT-security.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
Similarly, as with the lower level of fines, there are many reasons that can trigger the high fines. For instance, include violating the basic principles for processing, violating data subject’s rights or non-compliance with the supervisory authority’s orders.
What determines the size of GDPR fines?
The size of the fines detailed above is the highest amount possible. It’s the supervisory authority that decides the size of a fine. The supervisory authority’s goal is an effective and proportionate fine. GDPR details specific factors if a violation should result in a fine and the supervisory authority makes its assessment based on this.
The main factor is the gravity of the infringement. The authority may also consider previous infringements, how the violation was discovered and how co-operative an organisation acts in en enforcement action.
For a practical example on how a Supervisory Authority can reason when determining a fine, see our article on the Swedish Supervisory Authority’s first fine regarding use of facial recognition in school.
How can we prevent GDPR fines?
The only safe way to prevent GDPR fines is to be GDPR compliant. You achieve this by working toward fostering a good privacy culture in your company and maintaining the appropriate processes. This includes drafting proper privacy policies, informing data subjects, training your employees and continuously improving the organisation.
Even if your organisation is not GDPR compliant, but is working toward this goal, it is a mitigating factor. This means that even if you get fined, the supervisory authority will take into account you are looking to improve. For more information regarding how to be prepared for an inspection by a supervisory authority, see our article Audit Powers of the Data Protection Authority: How to Prepare.