GDPR Fines and Penalties for Noncompliance
The potential maximum fines and penalties under the EU General Data Protection Regulation (GDPR) have been widely discussed. They are largely covered by GDPR Articles 82 through 84.
Who is Subject to GDPR Fines?
Controllers are liable for damages caused from violations of the GDPR. Processors are liable for damage if the organization has not complied with the GDPR or the instructions given to it by the controller. As a result, controllers can be liable for both their own infringements as well as the infringements of their processors.
Controllers and processors are exempt from liability under the above if it is not responsible for the event causing the damage. If more than one organization is responsible for the damage, each is liable for the entire amount of damage. Organizations that pay the full amount of liability are entitled to a return of compensation from the other responsible organizations.
Lower Tier of Fines
Administrative fines of the higher of 10 million EUR or up to 2% of global annual revenue for the preceding financial year are possible for controller and processor obligations under Articles 8, 11, 25 to 39, 42 and 43. These obligations include child/parental consent, unidentified data subjects, privacy by design, data-sharing agreements, recordkeeping, 72 hour breach notifications, data protection impact assessments (DPIAs), data protection officers (DPOs or DPO as a service) and privacy certifications. Certification and monitoring bodies also have obligations under the lower tier of penalties.
Maximum Fines
Article 83 provides for administrative fines of up to 20 million EUR or 4% of global annual revenue for the preceding financial year (which is higher) for violations of:
– Basic principles of processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9.
– Data subject rights pursuant to Articles 12 through 22.
– Transfers of data to a third country recipients or international organizations by Articles 44 to 49.
– obligations pursuant to Member State law adopted under Articles 85 through 91.
– Noncompliance with an order by the supervisory authority under Article 58(2) or a request for access under Article 58(1).
What if an article isn’t listed in the fines and penalties identified above?
Article 84 of the GDPR provides for the adoption by Member States of rules for “effective, proportionate and dissuasive” penalties for infringements not identified in Article 83.
What factors will be used in determining the amount of the GDPR penalties?
The decision to impose an administrative fine and the amount of the fine takes into account the following (summarized) factors:
– nature, gravity and duration of the infringement
– the intentional or negligent character
– action taken to mitigate the damage
– degree of responsibility taking into account their implementation of Article 25 (privacy by design/default) and Article 32 (security)
– any previous relevant infringements
– degree of cooperation with the supervisory authority
– categories of personal data affected
– extent controller or processor notified supervisory authority
– previous enforcement orders for same subject-matter compliance
– adherence to codes of conduct or certifications under Article 40 and Article 42.
– any other applicable aggravating or mitigating factor, such as financial benefits gained or losses avoided
GDPR Fines for US Companies
There is no separate tier of penalties for companies that are not located in the EU. US organizations will face the same fines as companies with physical operations in the EU. However, it remains to be seen how quickly EU regulators will move to begin enforcement actions against small and medium-sized businesses based in the United States. Larger organizations conducting processing at the heart of what the GDPR is aimed at preventing and which have not taken sufficient action despite two years to prepare could obviously find themselves in the crosshairs of data protection authorities from the beginning of the enforcement period in May 2018.
Contact Clarip Today for Help with CCPA and GPDR
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.