GDPR fines: How high are they, and how can you avoid them?

woman clicking on keyboard with GDPR in white letters
(Image credit: Shutterstock)

When the EU's General Data Protection Regulation came into force in May 2018, perhaps it's most contentious and fear-inducing component was its significantly harsher approach to sanctions.

The regulation grants data authorities far greater powers to bring companies to account. In the UK, the Information Commissioner's Office (ICO) can now issue fines of up to 4% of a company's annual turnover, or €20 million (whichever is greater) for the worst data offences.

Although GDPR is a European regulation, more or less the same provisions, including the tougher fines, were introduced into UK law as part of the UK's Data Protection Act 2018, which worked to harmonise laws between the UK and the EU - and will continue to operate despite Brexit, after UK GDPR was baked into British law as part of the withdrawal process.

Hundreds of fines have already been levied against companies across Europe, the vast majority of which were in the low thousands for fairly minor infractions. However, there have been a handful of major fines that have hit the upper threshold of what's possible.

In January 2020, French data protection authority CNIL fined Google €50 million over a lack of transparency and for failing to secure appropriate consent as part of its advertisement model. This has since been followed by several harsher fines, including €210 million in January against Facebook and Google for making it difficult for users to reject cookies. In the UK, meanwhile. two of the largest prospective fines were levied against British Airways (£183 million) and Marriott International (£99 million), although both cases were subsequently watered down. One of the largest, if not the largest, GDPR fine has been issued against WhatsApp, which was fined €225 million over its obscure data sharing policies, after initially only being issued with €50 million notice of intent to fine.

A tiered approach to fines

According to Article 83 of the new data protection rules, regulators will adhere to a two-tiered structure for the administration of sanctions. The higher tier carries potential fines of up to €20 million, or 4% of global annual turnover, whichever is higher. The lower tier carries a maximum fine of €10 million, or 2% of annual turnover, whichever is higher.

Article 83 stipulates that lower-tier fines should be typically handed out to those organisations who have failed to integrate data protection policies "by design and by default" into the services they offer to the public. Additionally, any company that fails to cooperate with a data regulator, regardless of the nature of a breach, is also likely to fall into this tier.

The lower tier also marks out companies that have failed to assign a data protection officer (when it's clear that one is required), those companies that fail to inform data subjects as and when their personal data is compromised, and those that fail to keep adequate records of the data they are processing.

The often panic-inducing higher tier will, on the other hand, apply only for the most serious GDPR infringements, including breaching subjects' data and privacy rights, not following the basic principles of data protection, and refusing to comply with demands and requests from the data regulator, such as a refusal to comply with a previous warning or an order on processing data. How an organisation handles user consent will also be considered.

Will you always be fined the maximum?

Despite the claims of many irresponsible lawyers and software companies in the run up to GDPR, the vast majority of enforcement actions from regulators will fall far short of the multi-million Euro fines technically possible. That's if enforcement even gets that far, as provided a company is responsible and willing to engage with regulators, sanctions can be mitigated and even scaled back.

The regulations also make it clear that any fine will need to be administered on a case-by-case basis, and in the spirit of being "effective, proportionate and dissuasive". This means regulators are required to assess the nature of each individual infringement, including how serious it is, the duration of the incident, its scope, the extent to which the company took steps to prevent it, and ultimately how likely the incident is to infringe on the rights of the company's data subjects.

How negligent a company has been is typically the biggest factor in determining a resulting fine, and is often cited as the reason why financial sanctions are justified. The ICO has repeatedly stated that its goal is to work alongside companies to maintain compliance and that it does not purely exist to strike fear into those it regulates - a clear willingness to get data protection right will go a long way.

That willingness, however, will need to be demonstrable. Showing you took every reasonable step to enforce data protection rules across both your organisation and supply chains, ensuring that data was not processed unnecessarily, and reporting data breaches as quickly as possible, are all clear signs of a compliant company.

James Pressley, associate solicitor at law firm Kirwans, cited a case where the ICO issued Carphone Warehouse a fine under the Data Protection Act 1998 of £400,000 - 80% of the maximum fine, also citing WhatsApp's purchase by Facebook and the undertaking the messaging service gave to the ICO not to transfer any WhatsApp UK user data to Facebook.

"When dealing with organisations of that size, it is easy to imagine that fines of the new GDPR limits could be considered 'proportionate'," he warned.

How is the ICO operating post-GDPR?

The ICO, charged with enforcing data regulation in the UK, has gained a reputation for being a conservative regulator, inclined towards leniency.

Given the scale and severity of fines possible under GDPR - 40 times greater than the maximum £500,000 under the Data Protection Act 1998 - all eyes were on the ICO as to how it would operate.

"And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective," the former ICO chief, Elizabeth Denham, said in a speech some years ago. In the same speech, she reassured organisations that "predictions of massive fines under the GDPR that simply scale up penalties we've issued under the Data Protection Act are nonsense," indicating the ICO will continue to operate in much of a similar vein to how it has been thus far, with fines a last resort.

This approach is something that's very much been borne out as a reality, with the ICO keen to co-operate with businesses to ensure that steps are taken to rectify violations of the law once they've been determined. This is evident in the way the regulaor dramatically scaled back the fines issued against BA and Marriott.

Denham, at the time, also dismissed any predictions of a 'grace period' for compliance, in which the ICO would be lenient in the first few months following the introduction of GDPR, given businesses have had two years to prepare. In reality, though, the ICO waited some time before issuing severe penalties, given the time it takes to investigate cases and publish findings. This is something that's been replicated all over Europe, with data protection offices only in the last couple of years beginning to come out with the heavy financial penalties many first predicted.

"It would be entirely consistent with that approach for the ICO to demonstrate its new powers by imposing substantial fines, which would serve the dual purpose of bringing many private organisations into line," Pressley continued. She also indicated that infringements in any areas previously covered by the Data Protection Act 1998 would be viewed dimly, something else which has come to fruition. Conversely, organisations that self-report areas of non-compliance have been looked on favourably.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.