The General Data Protection Regulations came into effect on May 25th 2018 and one of the main enforcement elements is GDPR fines. The laws are a landmark piece of legislation and have since had wide-reaching implications for many companies both within and outside the EU. GDPR compliance is a requirement for any company that collects, maintains, and uses the personal data of EU citizens. EU lawmakers intended the regulations to minimise the risk of data theft and ensure adequate protections are put in place to protect the integrity of confidential information. GDPR grants individuals more rights over their data. It is no surprise that the fines for non-compliance with GDPR are substantial, given the significance of the regulations.
GDPR Non-Compliance Fines
If a regulatory authority finds an organisation to be non-compliant with GDPR, they can charge them with any of a number of different penalties. The size of the fine depends upon various factors, including the type of violation or the number of records affected in a data breach. In the event of a data breach, the regulatory authority also takes the organisation’s response to the breach into account. Maximum penalties (which can include accidental disclosure) for GDPR non-compliance are considerable: Non-compliance with GDPR security standards may result in a €10 million or 2% of global annual turnover fine – whichever is higher.
Non-compliance with GDPR privacy standards may result in a €20 million or 4% of global annual turnover fine – whichever is higher.
The authority that fines non-compliant organisations depends on the Member State in question. Many EU countries have their own Data Protection Authorities who, before GDPR, ensured that national data protection laws are followed. Their responsibilities now extend to ensuring GDPR compliance. DPAs have the power to conduct GDPR compliance audits and impose penalties for any non-compliance found. DPAs can even impose penalties if the organisation has not suffered a data breach, but is still found to be GDPR non-compliant.
In certain circumstances, DPAs may deem it appropriate to impose further penalties on organisations found to violate GDPR. For example, under GDPR, organisations are required to notify the relevant DPA within 72 hours of a data breach being discovered. The DPA may penalise the organisation if they are found guilty of not doing so.
If the data breach is likely to place affected individuals at risk of identity theft, fraud, financial loss, discrimination, injury to reputation or other economic or social disadvantage, them breach must also have be notified directly to the individuals. Depending on the case, the individual may launch a personal lawsuit against the organisation.
It should be noted that organisations are not obliged to inform individuals of data breaches if the data in question was encrypted and therefore useless to the criminal
who stole it. The Data Protection Authorities must still be informed of the breach. The Data Protection Officer would be responsible for proving to the DPA that the necessary technical safeguards were in place before the breach.
In particular circumstances, an organisation may face criminal charges depending on the national law of the EU state concerned.