GDPR Administrative Fines and How to Avoid Them

The fines under the GDPR, especially in situations where there has been incidents of severe violations and infringement of personal data, as noted in article 83(5) of the GDPR, can be issued in amount that is equivalent to 4% of the organization’s global turnover of the preceding fiscal year, or up to 20 million euros, depending on which amount is considered to be higher. This means that, theoretically, there is no upper limit of what the maximum amount of the fine can be.

Let’s see how to prevent exposure to GDPR fines by the relevant Data Protection Authorities, from the perspective of your organization that acts as a data controller.

The normative background of issuing elevated fines

Nevertheless, it is noticeable that year by year, as the time moves forward, records are broken by the relevant Data Protection Authorities in issuing higher and higher fines for the organizations that are marked as ones that have severely violated and infringed the personal data of their (not so) respective data subjects. Having the following information in mind, as noted in Article 83(5) of the GDPR, the organizations are subject to administrative fines if they fail to comply with:
– the basic principles for processing personal data, including lawful basis and conditions for processing data under consent, pursuant to Articles 5, 6, 7 and 9 of the GDPR;
– respecting and nurturing the data subjects’ rights pursuant to Articles 12 to 22 of the GDPR;
– the transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49 of the GDPR;
– any obligations pursuant to EU Member State law adopted under the Provisions that are relating to specific processing situations, such as:

• processing and freedom of expression and information;
• processing and public access to official documents;
• processing of the national identification number;
• processing in the context of employment, safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
• obligations of secrecy, existing data protection rules of churches and religious associations.

– non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the data protection supervisory authority pursuant to Article 58(2) of the GDPR or failure to provide access in violation of Article 58(1) of the GDPR.

Preventive and mitigative activities and measures that the business organizations can undertake as data controllers

Having the following in mind, it is needed to be restated that companies have influence in terms of preventing themselves as a legal entity to be exposed to administrative fines by a relevant data protection authority, if the company acts in good faith, if it is approachable by the authorities, and if it has developed standard operating procedures (SOP) in addressing data protection compliance and potential risks that may arise from a information security point of view.

In addition, some of the company measures to prevent exposure to fines by the relevant Data Protection Authorities reflects to the following:

– Process data only and solely in relation to the lawful basis for processing under the GDPR;

– Respect and abide the GDPR Principles, which means:

1. Process data lawfully, fairly and in a transparent manner. The following can be achieved if:

• The data subject has given you consent to process, collect, or store the data;
• You have a contract in place which outlines the data flow;
• The following activity is needed to fulfil a legal obligation that affects your business;
• It is done in accordance with the purpose of protecting the vital interests of a natural person;
• It is considered to be treated as a public interest (public task/publicly available data);
• You can prove the legitimate interest to process, collect, or store the data.

2. Purpose limitation – setting up boundaries of the usability of the personal data by your company. This means the processing of personal data should be done solely in accordance with the activities of processing the personal data that the organization has outlined under the Privacy Policy, or under a direct controller-to-subject document that outlines the purpose limitation;

3. Data minimization – it relates to collecting data in the smallest possible amounts (no bulk data collection, no unlimited insertion of data in a data warehouses. Data minimization can be achieved through mixing the following principle with the principle of purpose limitation;

4. Accuracy – when the organization collects personal data, the data should be accurate, updated, corrected, and modified by deleting the incorrect information in order to achieve a cleanliness of the collected and stored data;

5. Storage Limitation – as the name suggests, limit the storing of the data, set a timeframe and data retention periods, which will establish a continual practice to delete the unnecessary (and the not obliged under any provision) collection and storage of the personal data;

6. Integrity and confidentiality – treat the personal data management in a way that you will treat the data subject personally – with integrity and confidentiality;

7. Accountability - develop a comprehensive data protection framework and technical and organizational measures to showcase a commitment to protecting personal data.

– Be vigilant and cherish the rights of the data subjects (SAR, RTE, or other request that you will get as a data controller);

– Do not hide data breach incidents from the authorities (since data breach can happen to every organization – micro, small, medium, big, and global);

– Do not disregard Data Breach Incidents and react both in pre-breach prevention and in post-breach incident management activities to mitigate further risks and harms;

– Have a GDPR compliance framework inserted in place;

– Have appropriate cross-border data transfer mechanisms in place;

– Invest in cyber security to protect the provenance of the data;

– Consider whether you need to undertake a Data Protection Impact Assessment (DPIA);

– Consider whether you need to have a Data Protection Officer (DPO);

– Assign a professional to be your Article 27 Representative under the GDPR;

– Constantly update your policies and procedures, including the Privacy Policy and the Record of Processing Activities (ROPA);

– Do your homework and stay up to day with all the relevant regulations that regulate data protection, privacy of data, or free movements of data in the affected legislation within the market that you are doing business activities;

– Do not treat the data protection compliance of your organization as a one-off thing, since it needs constancy and consistency in addressing data protection, privacy, and free movement of data.

For questions about the next steps, call us on +1 303 317 5998/+44 1772 217800 or write to us at [email protected].