When it comes to newly introduced regulations, lawmakers gave organizations time to transition into the new norms. Unfortunately, that transition time is up; the maximum fine for GDPR non-compliance has already been issued to many European multi-nationals. However, SMEs are not hidden from the gaze of the regulator.
Join us as we explore the potential fines for non-compliance, who issues them, and you can avoid them.
A reminder on GDPR Non-Compliance
Since its introduction in 2016, the GDPR has been notorious for its heavy fines. You will often hear 4% of global revenue or Euro 20 Million quoted.
The truth is there are two tiers of fines:
- 4% of global revenue or Euro 20 Million, whichever is higher
- 2% of global revenue or Euro 10 Million, whichever is higher
But this is not the whole story. GDPR fines are slightly more complicated than that, and not all breaches are considered equally.
GDPR Non-compliance can come in many forms, from minor infractions to fully blown privacy violations. These practices are also dependent on the size of the organization. Most SMEs might be breaching the regulation without even knowing it, while some of the big tech boys (like Google or Facebook) will weigh up the cost of a fine against the gain of unlawful processing.
Keep in mind that the regulation is not static. Changes are constantly being discussed in the European Data Protection Board, with a recent revision on cookie and consent policies. You can expect that the regulators will catch up with big tech and change fines accordingly.
And as a final note, it is in your organization’s interest to stick with best practice models. With trends of privacy becoming a significant concern for consumers, best practice is a way to comply with the regulation and show good faith with your users or customers.
Who Has The Authority To To Fine You
Any Data Protection Authority (DPA) that finds your organization in violation of the regulation has the right to fine you.
The DPA is a governmental body that each member state (EU state) has enlisted as its data protection authority. For example, in the UK, the Information Commissioner’s Office (ICO) is the state DPA. Although the UK has left the EU, they have adapted their version of the GDPR known as the UK GDPR.
The UK GDPR is more or less the same as the EU GDPR but concerns UK data subjects.
Each EU country will have a DPA whose job is to protect that specific member state’s data subject. The most considerable fines so far were from DPA’s fining organizations within their borders.
For example, one of the more historic fines was imposed on TIM (an Italian telecommunication company) by the Italian DPA, il Garante, for a whopping 27 million Euro. This is not to say that foreign companies have not met the ire of European DPA’s. France has been fine heavy on big tech companies like Google and Amazon, 120 million Euros and 42 million Euros respectively.
You should understand that these heavy fines are a possibility and not an actuality. In a later section, titled how are penalties calculated? We will go into greater detail about how not all violations are weighted equally.
Where Does The Money Go?
With some of the eye-watering fines mentioned above, the curious mind wonders what happens to all that money. That is a good question, and the answer is; it depends. It depends on where the fine was issued. For example, in the UK, all fines issued and collected by the ICO go to Her Majesties (HM) Treasury; this treasury is a government fund used to fund infrastructure projects like roads and hospitals.
However, most EU countries will follow a similar pattern; fines are collected by the government and used for its budget or cover litigation costs. There has been talk within some DPA circles to use the fine money as compensation for data subjects, where data subjects have suffered material or non-material damages.
To get a more precise answer, you will have to check with the country-specific DPA.
How are fines calculated?
GDPR fines are calculated on a case-by-case basis. DPA’s will rarely give out blanket penalties and are cautious when it comes to issuing them. Keep in mind that the regulation is still relatively new, having completed its 3rd year in 2020. Meaning regulators are still giving organizations time to settle into the new norm. However, as we have already seen, that does not mean gross misconduct has gone unnoticed. There have been cases of smaller firms fined in the 12 thousand Euro range.
These are some of the factors that are taken into account when the DPA is making a penalty decision:
- Was the breach accidental or due to malicious action?
- What was the type of infringement, how severe was it, and how long did it last?
- What type of personal data was involved, was there a loss of special categories?
- Was your organization cooperative with the DPA?
- What security measures did you have in place before the violation, if any?
- Is this your first violation?
- Did the breach or violation result in serious risk to the rights and freedoms of the data subjects?
- Was your organization the one to notify the DPA, or was a complaint lodged by a watchdog or data subject?
- Was an effort made on your part to fix and issues or patch security vulnerabilities?
These are a few of the questions that DPA will be asking to understand if a fine is needed. There is a stigma that organizations are as much at fault as the attacker regarding data breaches. But they are victims of cybercrime. Some might be lead to believe that because of the way the company handles data breaches.
In the accidental loss, the responsibility lies solely on the organization, but fines will still be decided by how the organization handles it.
How To Avoid Fines
Avoiding fines is relatively straightforward; all it takes is compliance, and while that is easier said than done, it is not complicated. Generally speaking, there are some critical articles that companies struggle to comply with; these articles are also where the vast majority of fines are issued.
- Article 5 Data Processing Principles: you must process data
- Lawfully, fairly, and transparently
- Collected with a legitimate purpose
- The collection is limited to what is necessary
- Accurate and kept up to date
- With a lifecycle
- Article 6 lawfulness of processing: you can only process data
- If data subjects have given consent
- Under contractual necessity
- To comply with legal obligations
- If it is to protect the data subjects vital interests
- In the realm of public interest
- Article 32 security of processing: this is often the hardest to implement because it requires implementing organizational and technical safeguards to secure all the organization processes’ data.
The last article mentioned is much easier if the responsibilities are deferred to a partner. Managed Security Service Providers (MSSP) are a great asset to any organizational information system.
How RSI Security Can Help You Avoid Fines
GDPR compliance can be quite daunting for many organizations. Often progress slows down when projects begin to scale, and implementing a compliance strategy becomes necessary. Don’t let regulatory requirements slow down innovation. RSI Security is the nation’s premier cybersecurity provider; with deep knowledge of data protection laws, you can trust us to keep you on the right side of the law. Avoid GDPR non-compliance penalties and get in contact with us today.