KirkpatrickPrice
The Cost of GDPR Non-Compliance: Fines and Penalties The European Union’s General Data Protection Regulation (GDPR) has changed the landscape of protecting personally identifiable information, forcing all organizations to review and update how they market, collect, process, use, and store the personal data of EU data subjects. For both data controllers and processors, non-compliance of GDPR could result in steep fines and penalties. What are you doing to avoid the consequences of non-compliance? What are the Fines? GDPR has mandated substantial fines and penalties for non-compliance. There are two tiers of fines: • Lower Level: Up to €10 million, or 2% of the annual global revenue of the prior financial year, whichever is higher • Upper Level: Up to €20 million, or 4% of the annual global revenue of the prior financial year, whichever is higher First-tier fines will be imposed for breaches of controller or processor obligations. Second-tier fines will be imposed for breaches of data subjects’ rights and freedoms. How are the Fines Determined? According to Article 83(1), fines are administered by individual member state supervisory authorities and will be determined based on these factors: • Nature • Intention • Preventative measures • History • Cooperation • Data type • Notification • Certification According to Article 83(3), if your organization infringes on multiple provisions, you will be fined according to the most severe infringement. You will not be penalized for each infringement. What Can I Do to Reduce Maximum Fines? There is no guarantee that your organization won’t receive the maximum fines for non-compliance, but the following might help play a role in influencing the final fines and penalties: • Your level of cooperation with GDPR • Ensuring that you have appropriate procedures in place for identifying and reporting breaches within the required 72-hour window Case Study: Applying GDPR Fines and Penalties to the Yahoo Breach Between 2013 and 2014, 3 billion Yahoo user accounts were breached. Yahoo did not disclose the severity of the breach until 2017, thus failing to meet the 72-hour notification requirement established by GDPR. Because Yahoo’s revenue exceeded $4 billion in 2012, the company could have been fined between $80 million – $160 million if GDPR was in effect at the time of the breach. Additionally, by not disclosing the breadth of the breach in a timely manner, Yahoo would be less likely to have the final fines reduced.