#AtoZofGDPR - F is for Fines

Written by Stuart Anderson in #AtoZofGDPR on November 2, 2018

#AtoZofGDPR - F is for Fines

Fines, Fines, Fines.

That's what a lot of people (who are probably trying to sell you something) concentrte on when talking about GDPR. There has been a lot of scaremongering in relation to the fines that can be imposed under the GDPR. I believe that this scaremongering, along with the heretofore lack of prosecution and subsequent massive fine, has led to a lot of organisations doing little in the way of compliance as they think the threat is toothless. Put simply, in the words of a business consultant I met the other day “It’s the same as Y2K. 25th May has been and gone. No one has been fined €20 million so it’s business as usual. I mean, Facebook only got done for £500,000 in the UK right?”

Well, wrong…

It’s important to understand that many of the fines we are seeing right now are for transgressions under previous data protection legislation, and £500,000 was the maximum fine that could be handed out by the ICO in the UK. Whilst £500,000 is a lot of money, it’s not a big chunk out of revenues of $40.7 Billion (£31.5 Billion). Elizabeth Denham (The UK Information Commissioner) has stated that under the GDPR, the fine would have been significantly higher. At the upper scale, a fine of 4% would mean Mark Zuckerberg would have to fork out upwards of £1.2 billion!!

"We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation...."
The fine would inevitably have been significantly higher under the GDPR.”

Elizabeth Denham, UK Information Commissioner..

Recently, Giovanni Buttarelli, the European Data Protection Supervisor, has said that he expects the first GDPR fines for some cases by the end of the year (2018). In addition, this doesn’t necessarily mean fines alone but also decisions to admonish Data Controllers, imposing preliminary or temporary bans or even to deliver an ultimatum.

So, how will fines be determined?

Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine on a non-compliant firm:

  • Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
  • Intention: whether the infringement is intentional or negligent
  • Mitigation:actions taken to mitigate damage to data subjects
  • Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
  • History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
  • Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
  • Data type:what types of data the infringement impacts; see special categories of personal data
  • Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
  • Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
  • Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement


Lower level

Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • Controllers and processors under Articles 8, 11, 25-39, 42, 43
  • Certification body under Articles 42, 43
  • Monitoring body under Article 41(4)
Upper level

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
  • The data subjects’ rights under Articles 12-22
  • The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
  • Any obligations pursuant to Member State law adopted under Chapter IX
  • Any non-compliance with an order by a supervisory authority (83.6)

The prospect of a multi-million euro fine might not worry some, however, the damage to an organisations reputation could, in some instances, far outweigh the cost of the fine.