GDPR fines

GDPR fines make non-compliance a costly mistake, whether your company is a sole-proprietorship or a global enterprise. Your company is subject to GDPR fines if you market to, or do business with EU citizens or residents, regardless of your company’s size or where your company is physically located in the world.  Additionally, many other countries and regions have made their own data privacy regulations, broadening the scope of privacy protections even further, making most of the world’s companies subject to data regulations, and potential fines. 

However, fines do scale according to the size of your company’s revenue, and there are a few things you can do now to decrease your liability in case you are found in violation of the GDPR. So how much will a GDPR violation cost you? Let’s look at how fines are assessed and what will increase or decrease your liability. 

According to Article 83, potential fines can increase or decrease based on the following factors: 

Your fines may increase based on: 

• The nature, gravity, and duration of the infringement  
• The intentional or negligent character of the infringement 
• Previous infringements 
• The categories of personal data affected by the infringement 
• Any other aggravating factor 

Your fines may decrease based on: 

• Any actions you take to mitigate damage suffered by data subjects 
• Any preventitive technical and organisational measures measures you set up 
• Whether you notified the supervisory authority of the infringement on time 
• Wherther you followed codes of conduct listed in Article 40 
• Any other mitigating factor 

The GDPR makes some violations more severe than others, with two tiers of fines: 

1. Fines of up to €10 million, or 2% of your company’s worldwide annual revenue from the last fiscal year, whichever is higher.
2. Fines of up to €20 million, or 4% of your company’s worldwide annual revenue from the preceding financial year, whichever is higher.

Let’s look what types of violations fit into each of these categories, with references to relevant GDPR articles so you can check your compliance.

This is for minor offences, including: 

• Violating the rules of data protection, lawful basis for processing, etc., for data controllers (that’s your company!) and processors. So, monitor your own processes and vet any third-party services you use  Articles 8, 11, 25-39, 42, and 43 
• Violations of the rules for certifying organizations to execute their evaluations and assessments with transparency and without bias. (Articles 42 and 43) 
• Violations of the rules for monitoring bodies to handle complaints or reported infringements in an impartial and transparent manner. (Article 41) 

These offences are fined for of up to €10 million, or 2% of your company’s worldwide annual revenue from the last fiscal year, depending og which is higher.

These higher fines apply to: 

• Violations of the basic principles for data processing. For example, collecting or keeping data for purposes other then you specified, storing inaccurate or out-of-date information about someone, keeping data too long, or processing sensitive data at all (except in special circumstances) could lead to major fines. (Articles 5, 6 and 9) 
• Violations of the rules for consent. Make sure your consents are clear, explicit and freely given, then log them to prove it! Article 7 
• Violations of data subject rights. This includes failure to respond to Data Subject Access Requests (DSARs) on time Articles 12-22  
• Transferring data outside of the EEA without first getting the approval of the European Commision, or without proper protection in transit. Articles 44-49 

These offences are fined for of up to €20 million, or 4% of your company’s worldwide annual revenue from the last fiscal year, depending og which is higher.

Individual EU member states have the right to pass additional data protection laws if they are in accordance with GDPR principles –Chapter IX. Local supervisory authorities may also give orders to a company specifically. Violating either of these local laws or direct orders from supervisory authorities is a major offense with a huge fine. 

On top of administrative fines, individuals can sue for additional damages if the GDPR violation caused them material or non-material harm. Article 82  

Let’s look at two real-life examples of GDPR fines and how you can avoid similar fines.

Example #1: Capio St. Göran’s Hospital €2.9 million
A Swedish healthcare provider received a €2.9 million GDPR fine following an audit of one of its hospitals by the Swedish DPA. The company had neglected to carry out appropriate risk assessments and implement effective access controls, leading to too many employees having access to sensitive personal data.

How you can avoid GDPR fines like this one:

• Conduct a data protection impact assessment (DPIA) if you begin new and risky data collection/processing activities.
• Make sure you know which of your employees/departments have access to sensitive data.
• Restrict access to only those employees/departments who really need it.

Example #2: BBVA (Banco Bilbao Vizcaya Argentaria, S.A.) €5 million
A Spanish financial services company was fined €5 million. €3 million for sending SMS messages without obtaining consumers’ consent, and €2 million for a lack of transparency in their privacy policy, which failed to properly explain they collect and use customers’ personal data.

How you can avoid GDPR fines like this one:

• Make sure you get clear, explicit, and freely given consent (then log it!) before using customer data for marketing activities, or anything else.
• Link your privacy policy to your consent pop-ups or any other time people give you their email address or other personal data on your website.
• Review your privacy policy and make sure it includes all the details required by GDPR Articles 13 and 14. Use our free privacy policy template to help you get started.

Remember that putting “organisational and technical measures in place” reduces your liability even if you are found in violation of the GDPR.  

Our software was designed to help SMBs:  

• Share personal data securely by email, and automatically get consent when requesting it; with secure folders to store the data, customizable data retention limits and logs to demonstrate compliance. Try ShareSimple → 
• Respond to DSARs, with a request portal that verifies each requester’s identity before delivering the request to your dashboard, notifications to remind you to respond on time, easy data collection options, secure data transfer, consents, and logs to demonstrate compliance. Try RequestManager → 
• Discover personal and sensitive data your company stores. Find out where your company stores personal data, who in your company has access to it, how old it is, its risk level, and category. Evaluate your data processing and policies and make sure they are in line with the GDPR, minimise (delete!) old data, or data you no longer need, make sure high-risk data you do need is stored securely, and more. Try DataMapper → 

 It’s impossible to 100% eliminate the risk of data breaches and fines, but there is a lot you can do now to mitigate risk, protect people’s privacy, show good faith, and demonstrate compliant privacy practices.