GDPR Penalties and Fines for Non-Compliance


The General Data Protection Regulation (GDPR) is the most stringent set of privacy and security regulations in the world. Introduced in May, 2018, the GDPR outlies the obligations of organizations that target or collect data related to citizens of the EU. In an effort to force compliance, the GDPR levies harsh penalties against organizations that violate its strict privacy and security standards. Depending on the extent of the violation, the penalties can reach tens of millions of euros.


An Overview of the GDPR

The GDPR provides a set of rules to outline the ways in which companies must process the personal data of EU citizens. The regulation sets forth organizational responsibilities to preserve the privacy and protection of personal data. In addition, the GDPR provides EU citizens with specific rights, and grants powers to regulators to request proof of adherence. It imposes fines in those cases where an organization is outside of compliance with requirements.


Who Does the GDPR Impact?

Any organization that collects and accepts personal information from any EU citizen is bound by the rules of the GDPR, regardless of that organization’s location. If the organization has an online presence in the form of a website and collects personal data from EU citizens, it is subject to the requirements of the GDPR. Essentially, this means the GDPR applies to all public-facing companies.


Achieving and Maintaining GDPR Compliance

Some of the key privacy and data protection requirements of the GDPR include:

  • Obtaining the consent of subjects for data processing

  • Making collected data anonymous in order to protect the data subject’s privacy

  • Providing notifications in the event of data breaches

  • Safely managing data transfers across borders

  • Requiring (for certain companies) the appointment a Data Protection Officer (DPO) to oversee and ensure GDPR compliance

GDPR Penalties for Non-Compliance

Failure to comply with the GDPR can lead to significant penalties, primarily the levying of fines. These fines can range from relatively small to very expensive, depending on the nature and extent of the infraction. The total amount is influenced by ten separate criteria:

  • Intention: Determining whether the breach was intentional or the result of negligence

  • Mitigation: An examination of the actions (if any) that were taken to minimize the damage

  • Preventative measures: A review of the organizational and technical steps that had been in place to help ensure compliance

  • Nature of infringement: Determining the number of people affected by the breach and the damages that were suffered as a result

  • History: A review of any infringements that have occurred in the past for this organization and whether they are relevant to the current breach

  • Cooperation: Assessing the degree in which the company is willing to cooperate to remedy the breach

  • Data Type: The type of data impacted by the breach

  • Notification: Determining whether the infringement was reported to the proper authorities in a timely manner

  • Certification: A review of whether the company has previously authorized certifications to and adherence to regulations

  • Other: Determining whether they are any other factors to consider

Depending on the findings of the above, there are two levels of fines that can be imposed to the company:

  • 2% of the organization’s yearly global turnover, or approximately $12 million USD (the greater of the two)

  • 4% of the organization’s yearly global turnover, or approximately $24 million USD (the greater of the two)

eLearning for GDPR Employee Training

LMS Portals provides a powerful, branded eLearning platform for online GDPR training activities. The system allows our clients and partners to easily build and deliver GDPR training content and courses and includes robust supporting tools for user onboarding, messaging, knowledge management, analytics, and more.


Contact us today to get started for free!

0 views