What happens if you breach GDPR?
Violation of privacy legislation can lead to serious consequences for a company. This includes administrative fines, depending on your business and the degree of violation. In addition to financial penalties, a company can also suffer damage to its reputation and trust among customers and partners. If you are found to be acting in breach of the GDPR, there are some things you can do to reduce the consequences.
This blog is about what happens if you violate the GDPR after a data breach, how fines are set and what you can do as a company to reduce your liability.
Infringement for breach of the GDPR
The GDPR makes some violations more severe than others, with two tiers of fines:
- Minor GDPR offences are fined of up to €10 million, or 2% of your company’s worldwide annual revenue from the last fiscal year, whichever is higher.
- Serious GDPR offences are fined of up to €20 million, or 4% of your company’s worldwide annual revenue from the preceding financial year, whichever is higher.
Let’s look what types of violations fit into each of these categories, with references to relevant GDPR articles so you can check your compliance.
Factors that can affect GDPR fines
According to Article 83, potential fines can increase or decrease based on the following factors:
Your fines may increase based on:
- The nature, gravity, and duration of the infringement
- The intentional or negligent character of the infringement
- Previous infringements
- The categories of personal data affected by the infringement
- Any other aggravating factor
Your fines may decrease based on:
- Any actions you take to mitigate damage suffered by data subjects
- Any preventitive technical and organisational measures measures you set up
- Whether you notified the supervisory authority of the infringement on time
- Wherther you followed codes of conduct listed in Article 40
- Any other mitigating factor
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Minor GDPR offences
This is for minor offences, including:
- Violating the rules of data protection, lawful basis for processing, etc., for data controllers (that’s your company!) and processors. So, monitor your own processes and vet any third-party services you use Articles 8, 11, 25-39, 42, and 43
- Violations of the rules for certifying organisations to execute their evaluations and assessments with transparency and without bias. (Articles 42 and 43)
- Violations of the rules for monitoring bodies to handle complaints or reported infringements in an impartial and transparent manner. (Article 41)
These offences are fined for of up to €10 million, or 2% of your company’s worldwide annual revenue from the last fiscal year, depending og which is higher.
Serious GDPR infringements
These higher fines apply to:
- Violations of the basic principles for data processing. For example, collecting or keeping data for purposes other then you specified, storing inaccurate or out-of-date information about someone, keeping data too long, or processing sensitive data at all (except in special circumstances) could lead to major fines. (Articles 5, 6 and 9)
- Violations of the rules for consent. Make sure your consents are clear, explicit and freely given, then log them to prove it! Article 7
- Violations of data subject rights. This includes failure to respond to Data Subject Access Requests (DSARs) on time Articles 12-22
- Transferring data outside of the EEA without first getting the approval of the European Commision, or without proper protection in transit. Articles 44-49
These offences are fined for of up to €20 million, or 4% of your company’s worldwide annual revenue from the last fiscal year, depending og which is higher.
Individual EU member states have the right to pass additional data protection laws if they are in accordance with GDPR principles –Chapter IX. Local supervisory authorities may also give orders to a company specifically. Violating either of these local laws or direct orders from supervisory authorities is a major offense with a huge fine.
On top of administrative fines, individuals can sue for additional damages if the GDPR violation caused them material or non-material harm. Article 82
GDPR fine examples
Let’s look at two real-life examples of GDPR fines and how you can avoid similar fines.
Example #1: Capio St. Göran’s Hospital €2.9 million
A Swedish healthcare provider received a €2.9 million GDPR fine following an audit of one of its hospitals by the Swedish DPA. The company had neglected to carry out appropriate risk assessments and implement effective access controls, leading to too many employees having access to sensitive personal data.
How you can avoid GDPR fines like this one:
- Conduct a data protection impact assessment (DPIA) if you begin new and risky data collection/processing activities.
- Make sure you know which of your employees/departments have access to sensitive data.
- Restrict access to only those employees/departments who really need it.
Example #2: BBVA (Banco Bilbao Vizcaya Argentaria, S.A.) €5 million
A Spanish financial services company was fined €5 million. €3 million for sending SMS messages without obtaining consumers’ consent, and €2 million for a lack of transparency in their privacy policy, which failed to properly explain they collect and use customers’ personal data.
How you can avoid GDPR fines like this one:
- Make sure you get clear, explicit, and freely given consent (then log it!) before using customer data for marketing activities, or anything else.
- Link your privacy policy to your consent pop-ups or any other time people give you their email address or other personal data on your website.
- Review your privacy policy and make sure it includes all the details required by GDPR Articles 13 and 14. Use our free privacy policy template to help you get started.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Distrust after GDPR breach
When a company breaks privacy rules, it can result in significant damage to its reputation and trust among both customers and business partners. Customers expect their personal data to be handled securely and responsibly, and any breach of this trust can lead to loss of customer relationships and negative publicity on social media and other platforms. In addition, partners and suppliers may be reluctant to cooperate with a company that shows a lack of respect for data protection, which can limit the company’s opportunities for growth and cooperation in the long term. In reality, the distrust resulting from a GDPR breach can have greater consequences for a company than a financial fine.
How to reduce GDPR fines and distrust
Remember that putting “organisational and technical measures in place” reduces your liability even if you are found in violation of the GDPR.
Our software was designed to help SMBs:
- Share personal data securely by email, and automatically get consent when requesting it; with secure folders to store the data, customisable data retention limits and logs to demonstrate compliance. Try ShareSimple →
- Respond to DSARs, with a request portal that verifies each requester’s identity before delivering the request to your dashboard, notifications to remind you to respond on time, easy data collection options, secure data transfer, consents, and logs to demonstrate compliance. Try RequestManager →
- Discover personal and sensitive data your company stores. Find out where your company stores personal data, who in your company has access to it, how old it is, its risk level, and category. Evaluate your data processing and policies and make sure they are in line with the GDPR, minimise (delete!) old data, or data you no longer need, make sure high-risk data you do need is stored securely, and more. Try DataMapper →
It’s impossible to 100% eliminate the risk of data breaches and fines, but there is a lot you can do now to mitigate risk, protect people’s privacy, show good faith, and demonstrate compliant privacy practices.
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →