Companies that fail to comply with the General Data Protection Regulation (GDPR) standards for data protection, data security, and data processing may face some pretty steep fines.
GDPR compliance means that every organization doing business within the European Union (EU) must adhere to strict rules to safeguard the personal data and privacy of people (data subjects) living in one of the EU member states.
Effective May 25, 2018, the GDPR was designed to give users more control over their data and offer more transparency into the data collection process.
Under GDPR enforcement, fines are administered by the n each EU country. These data protection authorities determine whether violations have occurred as well as the severity of the penalties.
There are two tiers of administrative fines levied on data controllers and data processors as penalties for non-compliance.
A lower-level violation can warrant a fine of up to €10 million (US $11.03 million) or 2% of the company’s worldwide annual turnover (revenue), whichever is greater. The maximum fine is up to €20 million (US $22.07 million) or 4% of worldwide annual turnover, whichever is greater.
These lower-tier fines are usually levied on companies that:
- don’t have data protection policies in place for the services they offer to the public.
- don’t cooperate with data regulators.
- haven’t assigned data protection officers.
- don’t inform data subjects when their personal data is compromised.
- don’t keep adequate records of the data they process.
The higher tier fines are typically imposed on organizations that commit the most serious GDPR violations, including:
- breaching the data and privacy rights of EU data subjects.
- not following the basic principles of data protection.
- refusing to comply with the demands and requests of data regulators, such as not complying with previous warnings or orders on processing data.
However, administrative GDPR fines for non-compliance are discretionary, not mandatory. The data protection laws mean authorities in the EU countries must impose fines on a case-by-case basis. The regulators should also consider whether the GDPR infringement was intentional, how many data subjects were affected and if the controller or processor had any previous infringements.
A supervisory authority, such as the United Kingdom’s Information Commissioner’s Office, can take other measures if it determines there has been or is likely to be a data breach. These actions include warnings, reprimands, and ordering companies to take corrective actions to ensure they comply with the GDPR.