What are the penalties associated with GDPR?
As previously explained, GDPR is a new law governing the collection and use of personal data. It will affect people or organizations which are established in the European Union or which offer goods or services to or monitor the behavior of people living in the EU. It came into force on 25 May 2018.
One of the biggest changes made by GDPR compared to the previous regime is the threat of potentially huge fines for breaches, going up to €20,000,000 or 4% of your global turnover, whichever is higher.
In this article we will go into how GDPR is enforced, the enforcement actions that can be taken if there is a breach and examples of the two levels of breach, along with the maximum fines possible for each.
GDPR is enforced by supervisory authorities, which are established by national governments within the EU (for example, the Information Commissioner’s Office in the UK). If your organization processes the data of data subjects in multiple EU countries, then under Article 56 you will primarily deal with the supervisory authority of the EU country where you have your main establishment:
- Your main establishment is usually your place of central administration within the EU.
- However, for data controllers it may be another location if that is where decisions are made on the means and purposes of processing, and if it has the power to have those decisions implemented.
- For data processors, if they have no central administration, then it will be the location where the main processing activities take place.
- If you have no establishment in the EU but have instead designated a representative within the EU (see our article about who GDPR applies to), then presumably this will count as your main establishment.
Note that your main establishment (and so the relevant supervisory authority) may be different for different sets of data. For example, you may deal with customer data in one country, but employee data in another.
Also note that other supervisory authorities will still be entitled to investigate data protection issues relating to their own countries and residents in those countries.
Under Article 58, supervisory authorities have the power to investigate data protection issues. They can order data controllers and processors to give them access to personal data held and generally provide any information necessary to help them investigate. They can also gain access to premises and equipment, according to the normal legal processes (for example by getting warrants).
If they find that there has been or is likely to be a breach, they have the following powers:
- The power to issue warnings if proposed operations are likely to be in breach.
- The power to issue reprimands if past operations were in breach.
- The power to order data controllers and processors to cooperate with data subjects seeking to exercise their rights over their data.
- The power to order data controllers and processors to bring their operations into compliance with the Regulation within a specified time.
- The power to order data controllers to notify data subjects of a personal data breach.
- The power to impose a limitation or ban on processing, temporarily or permanently.
- The power to order the amendment or deletion of personal data.
- The power to order the suspension of data transfers to a non-EU country or international organization.
- The power to impose fines.
As can be seen from the list above, supervisory authorities have a number of alternatives to issuing fines, including giving reprimands and requiring corrective action. In practice, enforcement policies are likely to vary from country to country.
Supervisory authorities are required (by Article 83) to ensure that any fines they do impose are effective, proportionate and dissuasive. They should take into account a number of factors when setting the level of the fine, including the nature, gravity and duration of the infringement, any action taken to mitigate the damage, cooperation with the supervisory agency, previous infringements and warnings, and adherence to any national codes of conduct or certification procedures.
Maximum fines are set for lower level breaches and higher-level breaches, which will be explained below. If multiple infringements are found connected to the same or linked processes, the fine is still capped at the maximum for the gravest infringement.
Lower Level Breaches
For lower level breaches, the maximum fine is €10,000,000 or 2% of your global turnover in the previous financial year, whichever is higher. Some of the main types of breach which fall into this category include:
- Failing to keep adequate records of processing activities.
- Failing to cooperate with a supervisory authority.
- Failing to notify data subjects or a supervisory authority of a personal data breach.
- Failing to take steps to get a parent or guardian’s consent or authorization to process the personal data of a child under 16.
- Failing to appoint a representative within the EU (if you are not established in an EU country).
- Failing to appoint a data protection officer (where appropriate).
- Failing to carry out a data protection impact assessment or consult with the supervisory authority (where appropriate).
- Data processors acting outside of the scope of documented instructions from data controllers.
- Data controllers engaging data processors without the appropriate safeguards in the contract, or without getting sufficient guarantees that they can and will process the data according to GDPR.
Higher Level Breaches
For higher level breaches, the maximum fine is €20,000,000 or 4% of your global turnover in the previous financial year, whichever is higher. Some of the main types of breach which fall into this category include:
- Processing personal data without a lawful ground, such as by failing to obtain adequate consent.
- Collecting data beyond the minimum level needed, or keeping it for longer than necessary, for the explicit and legitimate purposes of the processing.
- Failing to keep adequate records of data protection processes.
- Failing to cooperate with data subjects seeking to exercise their rights over their data.
- Transferring data to a country outside of the EU or to an international organization without the appropriate safeguards.
- Failing to comply with the order of a supervisory authority.
The maximums go to show how high the stakes are for data controllers and processors. In addition, Regulation 82 also specifically states that data subjects have a right to be compensated by data controllers and processors for damage caused as a result of breaches of GDPR.
It is hard to know how far these astronomical fines will be imposed in practice. Supervisory authorities may well tend to stick to low level fines and their other enforcement powers. However, it is also possible that they will look to make an example of organizations which display serious breaches by imposing punitive fines.
The best way to prevent this happening to your organization is to avoid the kind of situation where any enforcement action is necessary. To do this, you will need to understand the main obligations under GDPR and what you need to do about them. We will start going into depth about these obligations in the next article.