What is General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is the European Union’s data protection law. We’ve gone straight to the source for the most accurate and comprehensive explanation of all that needs to be understood on GDPR, so the following material is courtesy of GDPR.eu, which is the complete guide to GDPR compliance.
GDPR.eu is a resource for organizations and individuals researching the General Data Protection Regulation. The resourceful site offers a library of straightforward and up-to-date information to help organizations achieve GDPR compliance.
According to GDPR.eu, this is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
GDPR.eu is provided as a helpful resource to quickly find all 99 Articles and 173 Recitals of the Regulation, as well as helpful guides and checklists that walk one through how the Regulation may apply to him/her. It also offers the official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version.
GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses. In this article we’ll talk about how much is the GDPR fine and how regulators determine the figure.
The European Union’s General Data Protection Regulation (GDPR) was designed to apply to all types of businesses, from multinationals down to micro-enterprises. The fines imposed by the GDPR under Article 83 are flexible and scale with the firm. Any organization that is not GDPR compliant, regardless of its size, faces a significant liability.
Below we will look at the administrative fine structure, how fines are assessed, and which infringements can incur penalties – essentially, a brief primer on the financial exposure organizations face for non-compliance.
Two tiers of GDPR fines
The GDPR states explicitly that some violations are more severe than others.
The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. They include any violation of the articles governing:
Controllers and processors (Articles 8, 11, 25-39, 42, and 43) — Organizations that collect and control data (controllers) and those that are contracted to process data (processors) must adhere to rules governing data protection, lawful basis for processing, and more. As an organization, these are the articles one needs to read and adhere to.
Certification bodies (Articles 42 and 43) — Accredited bodies charged with certifying organizations must execute their evaluations and assessments without bias and via a transparent process.
Monitoring bodies (Article 41) — Bodies that have been designated to have the appropriate level of expertise must demonstrate independence and follow established procedure in handling complaints or reported infringements in an impartial and transparent manner.
The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. These include any violations of the articles governing:
They also include:
And these are just the administrative fines. Article 82 gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of a GDPR infringement.
How much is a GDPR fine?
Under the GDPR, fines are administered by the data protection regulator in each EU country. That authority will determine whether an infringement has occurred and the severity of the penalty. They will use the following 10 criteria to determine whether a fine will be assessed and in what amount:
If regulators determine an organization has multiple GDPR violations, it will only be penalized for the most severe one, provided all the infringements are part of the same processing operation.
Data controller’s responsibility
Many companies use third parties, like email or cloud storage services, to handle their data. While this can be helpful in adhering to the GDPR if the third party has a higher technological capacity, it does not absolve the hiring organization (i.e. the controller) from ensuring that personal data is processed in accordance with the GDPR. Unless the controller can clearly demonstrate that it was “not in any way responsible for the event giving rise to the damage,” it will be fully liable for any infringement caused by a non-compliant third party.
For this reason, it’s important to carefully vet any third party services used to make sure they have a good track record for security.
The GDPR’s stiff fines are aimed at ensuring best practices for data security are too costly not to adopt. While it remains to be seen how fines will be applied by different EU member states, these fines loom for any organization not making strides to ensure GDPR compliance.