Since May 25th the General Data Protection Regulation (GDPR) has been fully enforceable. The new legislative package has replaced the former Directive 95/46 ('The Data Protection Directive') and imposed new European rules regarding data protection. Amongst other things, the GDPR sets stringent penalties for non-compliance with the new rules.
Firstly, supervisory authorities will have a larger package of instruments to enforce compliance. They will have a set of investigative, corrective, authorisation and advisory powers. With the ongoing process of globalisation, border crossing investigations have become increasingly common. Therefore, supervisory authorities are handed tools to set up cooperation with other supervisory authorities aiming for effective enforcement of the GDPR across all Member States.
Depending on the nature of the infringement, the fines for non-compliance can rise up to €20 Million or 4% of the total worldwide annual turnover, whichever is higher. The amount of a possible fine is decided on a case by case basis. The following parameters are taken into account when deciding whether or not a fine should be imposed and in determining the amount of the possible fine (article 83 GDPR).
- Nature, gravity and duration of the infringement. The scope of the processing, the number of data subjects and the consequential damage is also taken into account;
- Whether the infringement has an intentional or negligent character;
- Whether the data controller or processor have taken mitigating measures;
- Whether sufficient technical and organisational measures have been implemented;
- Whether there is a history of infringements;
- The degree of cooperation with the supervisory authority;
- The categories of personal data involved in the infringement;
- How the supervisory authority became aware of the infringement;
- Whether there is a history of correcting measures;
- Whether there is adherence to codes of conduct of approved certification mechanisms;
- Whether there are any other aggravating or mitigating factors applicable.
With these severe fines, carefully handling of the personal data flowing within your organisation has become a serious boardroom matter. Make sure to give privacy governance a permanent place in your organisation strategy and prevent high fines from being imposed.