GDPR breach: fines and mistrust

Violation of privacy legislation can lead to serious consequences for a company. This includes administrative fines, depending on your business and the degree of violation. In addition to financial penalties, a company can also suffer damage to its reputation and trust among customers and partners. If you are found to be acting in breach of the GDPR, there are some things you can do to reduce the consequences.

This blog is about what happens if you violate the GDPR after a data breach, how fines are set and what you can do as a company to reduce your liability.

The GDPR makes some violations more severe than others, with two tiers of fines: 

1. Minor GDPR offences are fined of up to €10 million, or 2% of your company’s worldwide annual revenue from the last fiscal year, whichever is higher.
2. Serious GDPR offences are fined of up to €20 million, or 4% of your company’s worldwide annual revenue from the preceding financial year, whichever is higher.

Let’s look what types of violations fit into each of these categories, with references to relevant GDPR articles so you can check your compliance.

According to Article 83, potential fines can increase or decrease based on the following factors: 

Your fines may increase based on: 

• The nature, gravity, and duration of the infringement  
• The intentional or negligent character of the infringement 
• Previous infringements 
• The categories of personal data affected by the infringement 
• Any other aggravating factor 

Your fines may decrease based on: 

• Any actions you take to mitigate damage suffered by data subjects 
• Any preventitive technical and organisational measures measures you set up 
• Whether you notified the supervisory authority of the infringement on time 
• Wherther you followed codes of conduct listed in Article 40 
• Any other mitigating factor 

This is for minor offences, including: 

• Violating the rules of data protection, lawful basis for processing, etc., for data controllers (that’s your company!) and processors. So, monitor your own processes and vet any third-party services you use  Articles 8, 11, 25-39, 42, and 43 
• Violations of the rules for certifying organisations to execute their evaluations and assessments with transparency and without bias. (Articles 42 and 43) 
• Violations of the rules for monitoring bodies to handle complaints or reported infringements in an impartial and transparent manner. (Article 41) 

These offences are fined for of up to €10 million, or 2% of your company’s worldwide annual revenue from the last fiscal year, depending og which is higher.

These higher fines apply to: 

• Violations of the basic principles for data processing. For example, collecting or keeping data for purposes other then you specified, storing inaccurate or out-of-date information about someone, keeping data too long, or processing sensitive data at all (except in special circumstances) could lead to major fines. (Articles 5, 6 and 9) 
• Violations of the rules for consent. Make sure your consents are clear, explicit and freely given, then log them to prove it! Article 7 
• Violations of data subject rights. This includes failure to respond to Data Subject Access Requests (DSARs) on time Articles 12-22  
• Transferring data outside of the EEA without first getting the approval of the European Commision, or without proper protection in transit. Articles 44-49 

These offences are fined for of up to €20 million, or 4% of your company’s worldwide annual revenue from the last fiscal year, depending og which is higher.

Individual EU member states have the right to pass additional data protection laws if they are in accordance with GDPR principles –Chapter IX. Local supervisory authorities may also give orders to a company specifically. Violating either of these local laws or direct orders from supervisory authorities is a major offense with a huge fine. 

On top of administrative fines, individuals can sue for additional damages if the GDPR violation caused them material or non-material harm. Article 82  

When a company breaks privacy rules, it can result in significant damage to its reputation and trust among both customers and business partners. Customers expect their personal data to be handled securely and responsibly, and any breach of this trust can lead to loss of customer relationships and negative publicity on social media and other platforms. In addition, partners and suppliers may be reluctant to cooperate with a company that shows a lack of respect for data protection, which can limit the company’s opportunities for growth and cooperation in the long term. In reality, the distrust resulting from a GDPR breach can have greater consequences for a company than a financial fine.

Remember that putting “organisational and technical measures in place” reduces your liability even if you are found in violation of the GDPR.  

Our software was designed to help SMBs:  

• Share personal data securely by email, and automatically get consent when requesting it; with secure folders to store the data, customisable data retention limits and logs to demonstrate compliance. Try ShareSimple → 
• Respond to DSARs, with a request portal that verifies each requester’s identity before delivering the request to your dashboard, notifications to remind you to respond on time, easy data collection options, secure data transfer, consents, and logs to demonstrate compliance. Try RequestManager → 
• Discover personal and sensitive data your company stores. Find out where your company stores personal data, who in your company has access to it, how old it is, its risk level, and category. Evaluate your data processing and policies and make sure they are in line with the GDPR, minimise (delete!) old data, or data you no longer need, make sure high-risk data you do need is stored securely, and more. Try DataMapper → 

 It’s impossible to 100% eliminate the risk of data breaches and fines, but there is a lot you can do now to mitigate risk, protect people’s privacy, show good faith, and demonstrate compliant privacy practices.