In December 2020, the Irish Data Protection Commission fined Twitter €450,000 for GDPR infringement. The microblogging platform failed to report and document a data breach it faced nearly two years ago, placing it on the list of big techs that had to pay GDPR fines.
Twitter is just one example that became news because of being a big organization. Ever since the GDPR came into effect, many more organizations could not escape its radar. Some of them are relatively smaller organizations. The GDPR does not look at the size of the organization to determine the fines, but the severity of the violations and the organizations’ response to them.
In this post, we will discuss the ramifications of failing to comply with GDPR and the severity of GDPR fines.
But first, let us briefly look at what is GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) is a privacy and data regulation that came into effect on May 25, 2018. It lays out rules for organizations that have customers or users in the EU and the EEA region. The organizations are liable to lawfully collect, process, and transfer the personal data of users and protect the data from misuse or breaches.
The regulation is a welcome step towards giving people more control over their data.
Failing to comply with GDPR will result in penalties that include harsh fines.
What are the fines for failing to comply with GDPR?
GDPR fine has two levels depending on the severity of the violation.
For the upper level or severe violations, the fine could be up to € 20 million, or 4% annual global turnover – whichever is higher.
For the lower level or less severe violations, the fine could go up to € 10 million, or 2% of the annual global turnover – whichever is higher.
The upper-level fines are applicable for violations related to:
- Lawful bases of processing personal data, including conditions of consent
- GDPR rights given to EU individuals
- Cross border personal data transfer
- Adhering to an order authorized by a GDPR superior authority
The lower-level fines are applicable for violations related to:
- Collecting personal data of children without parental consent
- Collecting, storing, or processing additional information of a user
- Following privacy by design protocols
- Sharing personal data with other joint organizations (controllers)
- Usage of third-party involvement in privacy policies
- Keeping records of personal information collected
- Notifying the supervisory authority and the users about a data breach
- Performing a data protection impact assessment
- Appointing and tasks of a data protection officer
- Establishing certification mechanisms
Not all GDPR violations will result in financial penalties. Depending on the nature of the violation, the GDPR authorities may decide the course of actions against the liable organization. These actions may include a ban on processing activities, an order to delete data, and restriction on cross border data transfers.
What are the conditions for imposing GDPR fines?
You might question how do the GDPR authorities decide whether to impose a fine. The GDPR has a catalog of various conditions to decide on imposing fines.
- The nature of the violation, the severity of the damage, and the number of people affected
- If the violation was negligent or intentional
- Preventive action or damage control by the organization
- Technical and organizational measures implemented to secure people’s data
- Previous cases of violations by the organization
- the degree of cooperation with the supervisory authority to deal with the situation
- the type of personal data affected
- Whether the organization notified the supervisory authority, and to what extent
- Whether the supervisory authority has taken any action against the organization for the violation;
- The organization follows code and conducts and other certified mechanisms
- Financial benefits gained from the violation
Is GDPR just about fines?
Looking at the huge list of organizations sanctioned under the GDPR, you might wonder if that is all the regulation is about.
No, it is not.
The GDPR was not enforced to punish organizations for failing to comply. It aims to protect the rights and freedom of people within the EU and the EEA. Data being a valuable asset, it was the right step taken to protect it.
Why comply with GDPR?
Failing to comply with GDPR is staking the reputation of your organization. You may regain from the financial loss or other official actions for the violation. However, it is difficult to get back the organization’s reputation and get rid of all the negative attention. It will affect your users’ trust in you that possibly took years for you to build.
Therefore, not complying with GDPR is not worth the risk.
When it comes to a website, CookieYes takes care of your cookie consent requirements. Add a cookie banner to your website and take advantage of the host of features, such as:
- Full customization of banner
- Granular cookie consent option
- Automatic cookie scan of websites
- Auto-translation of banner
- Automatic third-party cookie blocking
- Built-in Do Not Track (DNT) feature
- Consent logging
- Multilingual websites support
Sign up today for a free account and stay compliant!
Disclaimer: This article is for information purposes only. It does not intend to be a substitute for legal advice. Therefore, if you require any legal assistance, you should seek the services of an attorney.