GDPR fines: how GDPR administrative fines and sanctions will be applied

Fines under the General Data Protection Regulation (GDPR). What you need to know about GDPR fines, the guidelines on the application of GDPR administrative fines, ways to protect against GDPR fines, penalties, sanctions and the sanction mechanism under the GDPR.

If there is one thing that people know about the GDPR it’s that GDPR fines (administrative fines) can go up to 20 million Euros or 4 percent of annual global (note global!) turnover, whichever of both is highest. 

As explained in our GDPR overview the maximum fines of course don’t mean that by definition this highest level of administrative fines is applied. The exact fines depend on numerous factors such as how severe non-compliance and potential personal data breaches are, the measures that have been taken to be GDPR compliant (with GDPR awareness a first one), the degree in which an organization fails to set up the essential mechanisms to prevent personal data breaches or deliver upon the requests of data subjects in the scope of the several data subject rights they have (right of access, right to data portability, right to erasure etc.), the willingness to respond to such requests, the degree in which privacy by design is respected, additional measures and rights when consent is the chosen legal ground for lawful processing and far more.

GDPR fines and penalties - regulations and guidelines on the application and setting of administrative fines for the purposes of the General Data Protection Regulation by the Article 29 Data Protection Working Party October 2017

Two levels of GDPR fines – understanding them

On top of the mentioned maximum GDPR fines a second level of fines (10 million euros or two percent of global annual turnover) is foreseen, which means that the GDPR differentiates. The GDPR text itself sums up these two levels of fines and factors influencing them in Chapter 8 (remedies, liabilities and penalties, and thus those famous fines too) of the GDPR text.

In Article 83(1) the general conditions to impose administrative fines are described. Administrative fines need to be looked upon per individual case and be ‘effective, proportionate and dissuasive’.

In Article 83(2), criteria are mentioned and further in the Article the text looks at the two groups of fines. Among the criteria which the GDPR mentions in its Article 83 are the nature, gravity and duration of the infringement, the scope and purpose of the personal data processing, the number of data subjects and the degree of damage concerned by an infringement, the level of cooperation with the data protection authority and far more.

By splitting up the GDPR fines in two groups, the GDPR by definition indicates factors regarding the different impact and importance of several potential breached obligations. If you read Article 83 but also the details it mentions for both groups of fines you’ll for instance see that the unlawful processing of specific categories of personal data and conditions for consent are fined higher than, for example, breaches with regards to aspects such as privacy impact assessments.

However, all in all it does remain hard to understand for many and in the end you simply don’t know what GDPR fines will be applied. So, is there a slightly better way to know how GDPR fines will be calculated, how you can prevent GDPR fines and what your options are?

Avoiding GDPR fines: the use of a cyber insurance and the need to move towards compliance

The most simple and obvious answer to the question how to avoid GDPR fines is obviously making sure that you are as GDPR compliant as possible, can demonstrate you have done all you could in a prioritized way, taking all aspects of GDPR, risks from the data subject perspective and the different types of personal data and data flows and processing in your organization and its ecosystem of partners into account, along with the major rules of the GDPR such as consent and other principles of the lawfulness of processing personal data.

Yet, 100% GDPR compliance is a myth for reasons we, among others explained in our article on the business strategy aspects of GDPR and information management. That’s why GDPR awareness isn’t just about staff awareness but also means looking thoroughly at all the Articles in the GDPR, which in turn point to other ones you need to know.

A second question that arises is how you can pay potential GDPR fines? After all, if you never are fully sure then what happens if you are fined anyway?

This question is often asked and in some companies, who feel they won’t be ready, find the interpretation of GDPR too hard, feel uncomfortable or don’t think they will be financially able to pay potential GDPR fines is answered by taking a cyber insurance. However, in many cases a cyber insurance will only cover the costs of a breach and of the various aspects of solving and looking into it, as well as the communications around it.

Financial preparedness for GDPR fines and cyber insurance purchases in the UK according to Proofpoint findings end 2017 - PDF of the full research by Proofpoint
Financial preparedness for GDPR fines and cyber insurance purchases in the UK according to Proofpoint findings end 2017 – PDF of the full research by Proofpoint

But it normally won’t cover the additional indirect consequences and costs of potential severe breaches or flagrant cases of not even being close to GDPR compliance. And, even if you are insured, you will still need to work towards compliance with all the potential distrust, brand impacts and negative press and consequences which can come with severe breaches and flagrant neglect. In most cases a cyber insurance is only good for a part of the challenge (breaches), not for reputation harm or being non-compliant.

We recently wrote about the disconnect with regards to perceived GDPR readiness/compliance and the actual state of GDPR compliance in organizations, mentioning research from Proofpoint (PDF opens). That same research found that many organizations indeed prefer to mitigate their risk exposure, rather than going full throttle for GDPR compliance and are rather preparing to manage the fallout in case of non-compliance, including the mentioned cyber insurance aspect.

Two data points: 1) nearly a quarter of respondents have purchased a cyber insurance in case of breaches and 2- only 39 percent of businesses think they are financially prepared for GDPR fines once the General Data Protection Regulation is in effect.

Article 83 of the GDPR on the highest GDPR fines - more in Article 83 of Chapter 8
Article 83 of the GDPR on the highest GDPR fines

GDPR fines and other sanctions and penalties

GDPR fines, strictly speaking administrative fines are just one of many sanction mechanisms, even if they are the ones we most often read about.

The GDPR has several penalties and several sanctions which can be applied by the Data Protection Authority, and sometimes can simply be combined as the illustration of the sanction mechanism below shows. Although the focus in this graphic is mainly from the perspective of the DPA and the case there is a suspicion that a country doesn’t respect GDPR rules it makes things more tangible.

On top of actions that DPAs can take in the scope of its role to monitor compliance, there are obviously all the other ways that activate the sanction mechanism: personal data breaches, complaints of a citizen (whereby the DPA can be contacted or the citizen can go to court) and so forth.

In the case depicted below you see what can happen from the fine and sanctions perspective. If some rule is breached and does require a sanction, depending on the context as we tackle in this article, the DPA can decide to impose an administrative fine, decide to take another sanction such as a reprimand, a temporary or definitive ban on processing, a suspension of data flows to a recipient in a third country and so forth.

And, indeed, in some cases a fine can be combined with some of those other sanctions.

GDPR fines and other sanctions - how the sanction mechanism of GDPR will work in practice - source European Commission click for PDF
GDPR fines and other sanctions – how the sanction mechanism of GDPR will work in practice – source European Commission click for PDF

Guidelines on the application and setting of GDPR fines: the Article 29 Working Party clarifies (somewhat)

So, keeping in mind that it’s key to get as compliant as possible with all those steps to take, starting from awareness and staff awareness and all those other strategic steps, let’s start with looking a bit more in-depth into those GDPR fines and penalties.

It’s never bad to be insured of course but you do want to know what you are up to and not bet on just one aspect such as a cyber insurance or some basic security precautions. It does take multiple levels (and do take into account that not each country has the same rules regarding what can be insured and what not, which is again another discussion).

In order to understand the practical aspects of the GDPR, including the GDPR fines, it’s important to look at something else: the guidelines of the Article 29 Working Party, a.k.a., Art. 29 WP.

The Article 29 Working Party is an advisory body and consists of the European Data Protection Supervisor, EC (representatives) and EU Member State reps. It already exists since the predecessor of the GDPR, the Data Protection Directive, and has been extremely busy lately in making (draft) guidelines of several aspects of the GDPR (the GDPR also foresees the replacement of the Article 29 Working Party by the European Data Protection Board or EDPB).

In October 2017 the Article 29 Working Party published the ‘Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679′ (the official name of the GDPR).

In other words: there now are guidelines for the supervisory authorities to better apply and enforce the GDPR from the fines perspective and you might want to know what these GDPR fine guidelines, to put it simply, are.

It should be noticed that breaches of the Regulation, which by their nature might fall into the category of “up to 10 million Euros or up to 2% of total annual worldwide turnover” as set out in article 83 (4), might end up qualifying for a higher tier (Euro 20 million) category in certain circumstances. (Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, October 2017)

Do not expect a big list with multiple scenarios and loads of details on which fine applies when. It would be impossible to do so, of course. Each individual case is different. Moreover, as the guidelines document clearly stipulates: ‘These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general’.

However, the ‘Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679’ do clarify a few things about GDPR fines and especially regarding the ‘common understanding in of the assessment criteria in article 83 (2).

After having set out some the principles, the guidelines zooms in on several of these assessment criteria as you can see in the document below.

Doing your GDPR homework, however, doesn’t just mean learning about cyber insurance, Article 83 or the guidelines from the Article 29 Working Party. It starts with having a strategic approach to GDPR that includes several steps and starts with a good understanding of the Regulation and aspects such as privacy by design and what data subjects, personal data, identifiers and sensitive data are under GDPR.

In determining fines in the past (under the predecessor of the GDPR) supervisory authorities in Member States have not often applied maximum fines but always took into account various aspects.

Whether they will much stricter is a question that remains open but the focus is way too much on the fines and not enough on getting as GDPR compliant as possible, knowing that effectiveness of fines and penalties should also be proportionate and of course your level of compliance will play a role.

Top image: Shutterstock – Copyright: maradon 333 – Mobile phone GDPR image: Shutterstock – Copyright: gotphotos – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.