GDPR Fines and Penalties

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

January 18, 2018

If you work with data on EU citizens, complying with GDPR is an imperative starting in May of 2018. Article 58 of GDPR grants supervisory authority the ability to not only to investigate controllers and processors but also to impose fines. The administrative penalties are defined in GDPR Article 83. The fines are in addition to other actions, such as audits and corrective actions, outlined in Article 58.

Article 83 GDPR Fines and Penalties

The specific GDPR penalty language, and the bulk of the discussion and interest in the Regulation, is in Article 83. There are two specific fines listed in Article 83 - 1) 10,000,000 EUR, or 2% of total worldwide turnover (revenue) and 2) 20,000,000 EUR, or 4% of total worldwide turnover (revenue). The reasons for each of the different fine levels are outlined below.

Low-Level GDPR Fines of 10,000,000 EUR

Fines of 10,000,000 EUR or 2% of revenue can be levied on controllers and processors based on the following terms.

Infringements of the following provisions shall, by paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher: a) the obligations of the controller and the processor under Articles 8, 11, 25 to 39 and 42 and 43; b) the obligations of the certification body pursuant to Articles 42 and 43; c) the obligations of the monitoring body pursuant to Article 41(4).”

To sum up the reasons for the lower-level fines, it is that you didn’t follow the principle of security by design and in some way, your security posture resulted in a breach of EU citizen data.

High-Level GDPR Fines of 20,000,000 EUR

Fines of 20,000,000 EUR or 4% of revenue can be levied on controllers and processors based on the following terms.

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher: a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; b) the data subjects’ rights pursuant to Articles 12 to 22; c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; d) any obligations pursuant to Member State law adopted under Chapter IX; e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).”

To sum up the reasons for the higher-level fines, it is that you didn’t follow the principle of security by default. This means the policies and procedures you put in place for your compliance program, roughly the principle of data privacy, resulted in a breach of EU citizen data.

The regulation is clear that the intent of fines, regardless of the amount of the fine or the body imposing the penalty (Member State vs. EU GDPR Supervisor), imposed on controllers and processors is to be “effective, proportionate, and dissuasive”; this specific language is also used in Article 84, referenced below.

Article 83 lays out factors that will be considered in assessing the size of the fine. The factors, and things you can do to minimize your risk of a more substantial fine, are outlined below.

How to minimize your risk of GDPR fines and penalties

Work with authorities proactively

At the very least, you should ensure you meet the 72-hour data breach notification requirement for reporting data breaches to authorities. More broadly, you should cooperate and be as transparent as possible with authorities. Security by obscurity does not work with GDPR.

Follow recommendations by authorities

Or have clear justification and mitigation for why you didn’t follow it. If a GDPR authority recommends a specific plan for your organization or even generally to data controllers and processors, you should evaluate implementing it. If you decide not to, clearly document the reasons why not.

Build in security by design and default

You need to have privacy (no authorized access) and security (technical security measures) in your DNA. Security should be a core part of how you design, develop, deliver, and support your products. There should be proof of this posture documented. This goes without saying, but you should also have your actions support your intentions of complying with GDPR.

Limit your data exposure

One of the significant factors in determining the amount of the fine is the extent of the precipitating data breach. The scope of the breach applies to both the number of records and the depth of the data. To minimize your risk exposure, there are things you can do to separate data and exposure, so there isn’t one key to the castle.

Article 84 Member States’ Penalties

Additionally, in Article 84 Member States are granted the power to implement their penalties for infringements of GDPR. These penalties, which can vary country to country, need to be communicated to the Commission by May 25, 2018. As such, this is an evolving area and the true extent of penalties for violating GDPR is not yet known.

Penalties for violating GDPR and exposing EU citizen data in an unauthorized way are significant. The details are still trickling out and will continue to evolve even after GDPR goes into effect in May 2018, but the message is clear — if you do business in the EU and house data on EU citizens you are exposed to high financial risk.

Learn more about GDPR — Become familiar with the GDPR Data Breach Requirements