The most widely discussed aspect of the GDPR are the fines and penalties. We explain what are the GDPR fines for non-compliance and how to avoid them.
GDPR Maximum Fines for non-compliance
The GDPR imposes maximum fines of €20 million or 4% of annual worldwide turnover, whichever is higher. The organisation that will have to pay this amount is the one who fails to comply with the data protection principles. The GDPR principles are: transparency, fairness, accountability, data accuracy and minimisation.
Also, the DPAs will impose this fine to an organisation that violates the individual rights. The individual rights that must be remembered are: right to access, rectification, portability and erasure.
Finally, as an organisation you should take in consideration the transfers to 'third countries'. If you break the rules regarding the transfer of data to organisations outside the EEA and without an 'adequacy' designation by the EA the authorities will sanction you.
GDPR standard fines for non-compliance
There is also a standard maximum fine of €10 million or 2% of annual worldwide turnover, whichever is higher. If an organisation fails to gain proper consent of a child, establish a designated representative in EU or fails to adequately secure personal data they will have to pay the mentioned amount.
Similarly, an organisation will be sanctioned if it fails to implement data protection by design and default.
Processing Bans and Other Correctional Powers
Under the GDPR, Data Protection Authorities have powers to correct existing issues and prevent future non-compliance. They can issue warnings or reprimands. Also, the DPAs can order an organisation to bring their processing activities into compliance.
They also have the power to impose a ban on processing data or to order the rectification, restriction or erasure of data.
If an organisation transfers data to third countries, the DPAs can order the suspension of data flows.
How to avoid the fines?
Here are some tips that will help you to avoid GDPR penalties.
Firstly, make your team representative of the parts of your business that might handle, secure, or govern personal data. Secondly, you should do a data mapping by checking what type of personal data you are processing and how sensitive it is.
Thirdly, and very important, you should review your documentation. This means you make sure you have an externally facing privacy policy that meets the requirements set out in Articles 13 and 14. The GDPR requires to the authorities to disclose specific information and affected parties in the event of a data breach. Therefore, you should have templates and policies that describe the notification and breach response process.
In addition, you should fix any mismatches or gaps after reviewing your documentation.
Finally, you need to train employees who handle personal data. You should also educate management, particularly your data protection officer or equivalent point person, in GDPR requirements.
Will the maximum fines always be applied?
Data Protection Authorities do have the powers to apply the full fines in cases of non-compliance. They will impose it only in the most serious of cases.
DPAs should issue fines based on the perceived impact to individuals, the scale of the issue and the organisation’s response to the issue. Fines should be effective, proportionate and dissuasive.
Whilst the penalties for non-compliance with the GDPR are intended to be an effective deterrent, businesses should focus on getting up to scratch with their compliance strategy and have effective processes in place should an audit or data breach occur. Read our post Is GDPR Is Good For Business? to find out how compliance can help your business grow.
Find out how the Sovy GDPR Privacy Essentials can help you or- Get in touch with us for more information.
