How to Avoid GDPR Penalties

This article was co-written by Kris Lahiri, Data Protection Officer and Dawid Balut, Egnyte Architect.

Self-reporting can greatly reduce violation fines. If a company shows an effort to comply, there will be fewer penalties. Exact fines depend on a number of factors, including the severity of noncompliance, the degree to which an organization fails to set up preventive mechanisms, and the compliance measures are taken. 100% compliance is a myth and as long as a business has done all it can to prioritize GDPR awareness company-wide, fines can be avoided altogether.

According to the GDPR, there are two tiers of fines; €10 million or 2% of the total annual turnover of the preceding financial year, whichever is higher, and up to €20 million or 4%. However, this doesn’t mean each GDPR violation will result in fines this high.

Here is a paraphrased version of criteria listed in GDPR Art. 83.1. The following will be used to determine fines.

1. The nature and duration of the infringement - purpose of the processing, number of people affected, amount of damage suffered
2. Intention - to what extent was this infringement allowed or caused by company negligence
3. Action taken - how much effort did the company take to mitigate damage suffered by data subjects
4. Protection measures implemented by a company - did this company truly invest in data protection
5. Previous infringements by the company - what is the company’s history (i.e. have they experienced data breaches in the past)
6. Degree of cooperation with the supervisory authority - has the company reported previous breaches and did they cooperate with authorities to remedy the issue
7. Categories of personal data affected by the infringement - what kind of data is exposed
8. Notification manner and timing - how was the incident reported to authorities and was the report complete and honest
9. Adherence to approved codes of conduct or approved certification mechanisms - how closely did the company follow relevant protocol
10. Other aggravating or mitigating factors - were there financial benefits gained or losses avoided, directly or indirectly, from the infringement.

The information above informs that with proper communication, you can largely decrease your penalties. On the other hand, if you try to hide a breach and it becomes public, your penalties are expected to increase given failure to comply with the aforementioned criteria.

GDPR’s mission is to put customers and their data security first and should encourage cooperation with supervisory authorities. The regulation stands for important matters we need to address, such as ensuring that data processing companies respect the data of their users. Fines and penalties are just tools used to enforce global change.

Attend webinar to learn more about GDPR after the May 25th enforcement.