GDPR Series, Part 4: The Penalties for Non-Compliance
In the first three parts of this series, we covered the GDPR basics: who is subject to the GDPR requirements, what rules require data protection technology, and how you can start preparing your organization for the regulation. In this final installment, we will cover what happens when you are not in compliance with the GDPR requirements – the penalties.
The GDPR gives new power to data protection authorities
Compared to its predecessor, the Data Protection Directive (95/46/EC), the GDPR1 gives data protection authorities more investigative and enforcement powers and the power to levy more substantial fines.
Previously, under the Directive, each member state was free to adopt laws in accordance with the principles laid out in the Directive, which meant that there were differences in the way each member country implemented and enforced the Directive. The GDPR is a regulation that applies in all member states of the EU.
The GDPR provides a new one-stop-shop regulatory framework for the investigation of complaints and enforcement of the GDPR requirements. Under this framework a member state’s supervisory authority will operate in one of three roles:
- Lead Supervisory Authority: will act as the lead supervisory authority for the controllers and processors whose main establishments are located in its member state. This will permit a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority.
- Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
- Concerned Authorities: will act when data subjects in their member state are substantially affected and will cooperate with the lead supervisory authority for the matter.
This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to data subjects residing within their territory.
How is the fine calculated?
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including:
- The nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them)
- Whether the infringement was intentional or negligent
- Whether the controller or processor took any steps to mitigate the damage
- Technical and organizational measures that had been implemented by the controller or processor
- Prior infringements by the controller or processor
- The degree of cooperation with the regulator
- The types of personal data involved
- The way the regulator found out about the infringement
The greater of €10 million or 2% of global annual turnover
If it is determined that non-compliance was related to technical measures such as impact assessments, breach notifications and certifications, then the fine may be up to an amount that is the GREATER of €10 million or 2% of global annual turnover (revenue) from the prior year.
The greater of €20 million or 4% of global annual turnover
In the case of non-compliance with key provisions of the GDPR, regulators have the authority to levy a fine in an amount that is up to the GREATER of €20 million or 4% of global annual turnover in the prior year. Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.
The key word is “greater”
The word “greater” generates perhaps the most concern for those who must comply with this regulation. Many global companies have annual revenues in the tens of billions.
Let’s look at an example. Say Acme, Inc., generates €30 billion in revenue in 2017 and in 2018 it is found to have transferred personal data to a third country that lacks the appropriate safeguards to protect that data. The relevant supervisory authority will have the power to levy a fine of €1.2 billion (4% of €30 billion), which is far more than €20 million. While 4% fines will be reserved for only the most flagrant violators, even a 1.5% fine – €450 million in our example – could make a material difference to a company that will also be dealing with pressure on its business from bad press and a loss of market trust.
What this all means
The time to start planning for GDPR compliance is now. May 2018 is not as far off as it seems, and time-consuming investigations and hefty fines may loom on the horizon. Once you discover and inventory your data repositories and sensitive data you can begin to better scope your GDPR readiness project.
Other posts in the series
 Official Journal of the European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council