It is important to avoid GDPR fines and penalties as the cost will severely damage the company’s finance. Furthermore, it can also ruin the company’s reputation which will make the customer lose their trust.
What is GDPR Fines and Penalties?
GDPR applies to most companies with different business types with varied sizes big and small. The GDPR fines and penalties are created so non-compliance has finance consequences.
The Fines are further detailed on article 83 which talk about financial penalties. From the detail we can see that the amount is flexible since it will be scaled with the size of the company.
That way, any company that is not compliant with GDPR can be fined regardless of the size. The financial penalties are further categorized in two levels depends on the severity of the violations that the company did.
Besides the administration fines there are also other consequences that the company might have to face. Article 82 stated that the data subject has rights to get compensation from company which cause non-material or material damage from the result of GDPR violation.
Less Severe Violations Financial Fines
On article 83(4) you can read about financial fines for violations that are less severe. The GDPR fines and penalties can go up to 2% of company’s annual worldwide revenue taken from previous financial year or €10 million. The higher amount is the one that will be used as the fines. The violations that can cause the fines includes:
- Certification bodies
- Processor and controller
- Monitoring bodies
More Severe Violations Financial Fines
On article 83(5) you can read about financial fines for violations that are more severe which against the principles of several rights. The article specifically detailed on “the right to be forgotten” and privacy right since they are the main rights that GDPR want to protect.
The fines can go up to 4% of company’s annual worldwide revenue taken from previous financial year or €20 million. The higher amount is the one that will be used as the fines. The violations that can cause the fines mainly includes:
- Processing basic principles
- Consent condition
- Personal data rights
- Transferring data to third country or international company
They also further include these violations in this category:
- Violation that is done to member state laws which further detailed on chapter IX
- Non-compliance that is done with order from supervisory authority
Things That Determine the Amount of Fines
The GDPR fines and penalties that the company have to face is determine by the penalty severity and the if infringement had happened. There are 10 things that the authority uses to determine whether the company will be fined and the amount such as:
The authority will see if the infringement happened because of negligence or if it was intentional.
- Nature and gravity
The authority will see the overall statute of infringement that the company did. This include what kind of infringement happened, why did it happened, how did it happened, the damage that the people have to suffer, the number of affected people as well as the amount of time that the company took in resolving the issue.
The authority will see if the company had taken actions that can mitigate any of the damage which affecting people who are suffering from the infringement.
- Data category
The authority will see the type of personal data which affected by the infringement which will be used to determine the amount of GDPR fines and penalties.
The authority will see if the company had done previous infringements before which also include infringements outside GDPR such as DPD. They will also see the compliance that the company had done on previous administrative corrective action under GDPR.
- Precautionary measure
The authority will see company’s preparation and technical organization which previously implemented by the company to comply with GDPR.
- Mitigating or aggravating factors
The authority will see if there is other issue which arise because of the circumstances faced from the case which included avoided financial loss or gained benefit because of the infringement.
The authority will see if the company cooperated with any supervisory authority in discovering and remedy for the infringement.
The authority will see if the company had followed the codes of conduct approved or if the company had previously been certified.
The authority will see if the company or other designated 3rd party which proactively report that the infringement happened to supervisory authority.
If the determine that the company violate multiple GDPR regulation then the penalty will only be taken for most severe violation if all if all infringements are under the same operation processing.
Data Mapping Best Practice
To help your company improve the compliance with GDPR you can use data mapping. It will also help you to avoid GDPR fines and penalties by providing better data privacy. Here is the best practice that your company can do:
Choosing the best tools
First step that you need to do is to choose the best tools that you will use in mapping the data. It is important for you to set up the resource and tools beforehand so the data mapping process can be done easily and more efficiently. You can use simple spreadsheet or dedicated tools depends on the company’s need.
Identifying types and source of the data
You need to identify what is the source that will provide the data and what type of data that you will collect. So, you need to be very specific when identifying these things as it can affect the accuracy of the company’s data mapping.
Securing the data mapping process
When you perform the data mapping process, you will be interacting directly with private data which you need to protect. That is why, you need to secure the data mapping process to protect the personal data. The data mapping tools that you use should also have heavy protection as used in your most secure data.
Updating the data periodically
As the time goes, the data that your company gather will also change. Thus, the best practice is to update the data mapping at least once every quarter or if necessary, every month even every week.
The more frequent you update the data there will be less likely that non-compliant activities or privacy flaws can occur. That way you can avoid GDPR fines and penalties.
Comply with GDPR data record
Data mapping on its own will not be enough to be used as proof on how the company manage the customer data. GDPR article 30 already explain about data record which can help you to comply with the regulation as well as providing proof of data transfer.
GDPR Incident Response
When anything comes to the worse then you need to make sure that your company issue notification as part of the incident report to the supervisory authority. The notification should be sent within 72hours after your company identify the incident.
If any delay happened that cause you to send the notification past the required time frame then you need to include the reason. The notification that is send to the supervisory authority should include:
The detail of the incident
You need to provide all detail of the incident which include the amount and the types of personal data involved in the incident as well as the number of people who are associated with the affected data.
You need to provide the contact information of the person in your company who are responsible in sharing more detail regarding the incident such as the officer responsible for data protection.
You need to provide detail of likely consequences that can happen from the incident to avoid GDPR fines and penalties.
The company’s plan regarding the incident
You need to provide details on the plan that the company will do to address the issue and the effort that the company plan to take in reducing the negative impact caused by the incident.
Besides sending notification to supervisory authority your company should also send notification to the affected individual. The deadline is set to “without undue delay” which some interpret it as 72hours but other believe that the timeframe is more tolerant and can be wider.
However, you do not need to send notification to the affected individual for every incident that happen in your company. Thus, you need to research further on which incident that need to be notified to the individual and which does not need notification.
GDPR issue those fines to make sure that the data security become too costly if not adopt well. That is why, it is important for your company to comply with GDPR that can help you to avoid the fines.
One method that you can use to help the company comply with the regulation is data mapping. That is why, it is better to implement the best practice of data mapping which suitable for your company.
If anything comes to the worse possible event then it is also important to apply incident response and informing supervisory authority and the affected individual. The notification should be sent within a set of timeframes to avoid further GDPR fines and penalties.
Description: Learn how to avoid costly GDPR fines by understanding the regulations and implementing proper data protection measures. This guide covers everything from data mapping to incident response.
Tags: GDPR fines and penalties, GDPR fines and penalties article 83, avoiding GDPR fines and penalties, GDPR fines and penalties guidelines, what are GDPR fines and penalties,