GDPR penalties make non-compliance an expensive mistake for any size of business. The GDPR Article 83 has introduced a tiered approach to penalties, meaning that the severity of the breach will determine the penalty imposed.
Tiers of GDPR penalties
Not having their records in order or failing to report any breaches to the authorities can be fined a maximum of 2% of their annual global turnover. The maximum penalty a company can face is 4% of their annual global turnover, of €20 million, whichever is the highest.
The assessment criteria when imposing the GDPR fine
Under the GDPR, penalties will be administered by the data protection authority of each EU member state. They will take into account the following criteria when assessing the breach:
- Establish how many infringements (and therefore, penalties) there are
- Assessment of category of infringement
- Assessment of the seriousness of the infringement
- According Article 83(2)(a):
- Nature of the infringement (i.e. the specific section of GDPR framework);
- The gravity of the infringement, considering the nature, scope and purpose of the processing, the number of data subjects concretely and potentially affected and the level of damage to the individual’s rights and freedoms;
- Duration of the infringement;
- Intention– whether the violation was intentional or was negligence;
- Categories of personal data affected – whether the nature of personal data has the potential to cause immediate damages or distress and attract greater weight to the breach;
- According Article 83(2)(a):
- Potential reduction of the starting amount of the penalty, based on smaller turnover;
- Assessment of mitigating and aggravating factors;
- Did the organization take any type of action to mitigate the damage suffered by data subjects;
- Responsibility – the degree of responsibility the organization has demonstrated so far regarding the implementation of appropriate technical and organizational measures;
- Previous violations – any relevant previous infringements by the organization;
- Level of cooperation – the level of cooperation with the supervisory authority that the organization demonstrated in order to remedy the violation and mitigate the possible effects;
- Notification of the violation – whether (and to what extent) did the organization notify the supervisory authority about the violation;
- History – were there any corrective measures previously issued against the organization regarding the same subject?
- Codes of conduct – did the organization adhere to approved codes of conduct or approved certification mechanisms;
- Check the sum against the maximum penalty defined by the GDPR;
- Analysis of effectiveness, dissuasiveness and proportionality.
Example GDPR penalty calculator
Fine calculator based on German Data Protection Authority instructions
List of GDPR penalties applied
GDPR Enforcement tracker is a database of fines and penalties that data protection authorities within the EU have imposed under the EU General Data Protection Regulation
