How to Avoid GDPR Fines
The financial penalties for breaching the EU's General Data Protection Regulation (GDPR) can be severe. In 2020 alone:
- GDPR penalties exceeded $191 million
- Data protection authorities around the EU received over 121,000 data breach notifications, which is a 19% increase on figures from 2019
If you're required to comply with the Regulation, then it's crucial you understand how to avoid these costly penalties. Below, we consider in detail how the GDPR works, what the Regulation requires of you, and the steps you can take to avoid financial penalties.
- 1. The GDPR
- 1.1. Key Definitions
- 1.2. Who the GDPR Applies to
- 1.3. Rights of the Data Subject
- 1.4. Data Processing Principles
- 1.5. Lawful Basis for Processing
- 2. Penalties for Non-Compliance
- 2.1. Article 83: Financial Penalties
- 2.2. Level One: Article 83(4) Fines
- 2.3. Level Two: Article 83(5) Fines
- 3. Steps to Take Now to Avoid GDPR Fines
- 3.2. Get Express Consent
- 3.3. Minimize the Personal Data You Collect
- 3.4. Report Data Breaches on Time
- 3.5. Introduce Sufficient Cybersecurity
- 4. Conclusion
The GDPR gives EU citizens control over how businesses collect, store, and process their personal data. It's one of the most comprehensive privacy laws in the world, and it's designed to strike a balance between:
- The right for someone to protect their data privacy, and
- The need for businesses to hold some personal data to perform commercial activities
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Let's now break down the GDPR's key requirements.
First, let's be clear on how the GDPR defines certain terms. We'll use these terms throughout the article, so it's important you know what they mean.
- Consent: When the data subject (an individual) freely gives you informed, express consent to personal data handling. It's not talking about implied consent. We'll cover the differences below.
- Controller: The person or company in charge of collecting the data and deciding how it's processed, e.g., a retailer.
- Data Subject: The person whose data you're handling.
- Personal Data: Information that can be used to identify an individual, such as their name, IP address, or email address.
- Personal Data Breach: This is what it's called when there's an accidental or deliberate security incident which puts personal data at risk.
- Processing: Any action taken on personal data. This includes collecting, storing, and erasing it.
- Processor: A company or individual responsible for processing personal data on a company's behalf.
You'll find all the key definitions in Article 4 of the GDPR, but these are the most important ones you should know about.
Who the GDPR Applies to
If you process personal data belonging to an EU citizen, the GDPR applies to you.
- It doesn't matter where you're based. If you're selling goods or services to the EU, you must comply with the GDPR.
- It also applies if you run behavioral monitoring or other analytics on EU citizens.
The GDPR doesn't apply, though, if you're collecting data for a purely personal purpose e.g., a home address book. It's only triggered when there's some kind of commercial element involved.
If you're unsure whether or not the GDPR applies to you, it's best to assume it does.
Rights of the Data Subject
The GDPR provides individuals, or "data subjects," with specific rights over how businesses use and collect personal data. They have the right to:
- Understand your personal data practices
- Access copies of whatever data you hold on them
- Amend inaccurate or outdated information
- Insist you delete all their personal data
- Restrict how you process their information
- Request a portable copy of the data
- Object to your processing
- Reject automated processing
The rights are set out in Articles 12 through 22.
Data Processing Principles
In Article 5, the GDPR sets out six principles for data processing, which you must adhere to if you handle personal data:
- Data must be processed lawfully, transparently, and fairly
- Limit the reasons why you're collecting data
- Only collect as much data as you need for a specific, clearly defined purpose
- Ensure the data is as accurate as possible
- Don't store personal data for longer than necessary
- Use sufficient safeguards to protect data
Lawful Basis for Processing
You can't process personal data unless it's justified under one of the following legal grounds. Processing's only legal if you:
- Have the data subject's express consent
- Need it to fulfill a contractual obligation e.g., process an order
- Need it to comply with a legal obligation
- Must use it to protect the data subject's vital interests
- Are acting in the public interest
- Have another legitimate (and justifiable) interest
The grounds are set out in Article 6.
Penalties for Non-Compliance
You won't always be fined for GDPR breaches. It all depends on a few factors, such as how serious the breach is, and what steps you took to mitigate the damage.
For minor breaches, you may receive warnings or other formal reprimands. Otherwise, financial penalties might apply.
Article 83: Financial Penalties
There are two levels of financial penalties: Article 83(4) fines, and Article 83(5) fines.
Which level applies depends on which GDPR Articles you violated. Article 83(4) fines are less severe.
Level One: Article 83(4) Fines
You can be fined up to 10 million Euros or 2% of your global annual turnover, whichever is greater, if you violate Articles such as:
- Article 8: Children's consent
- Article 11: Data processing not requiring identification
Level Two: Article 83(5) Fines
Fines go up to 20 million Euros or 4% of your worldwide annual turnover, whichever is the highest amount. It applies if you violate:
- Basic GDPR principles around data processing, including consent
- Member State GDPR laws
- Restrictions imposed on you by supervisory bodies e.g., you've breached the GDPR before and you've been told you can't collect certain types of data
Steps to Take Now to Avoid GDPR Fines
GDPR violations can be either intentional or, more commonly, accidental. Examples of accidental data breaches include:
- Sending an email containing personal data to the wrong staff member
- Losing a portable device with personal data on it
- Forgetting to upgrade your security software, leading to a hacking attempt
As you can see, it's fairly easy for data breaches to occur, but it's crucial you take steps to stop them from happening. So, to help you avoid inadvertently breaching the GDPR, here are five things you should do now.
Briefly, here's a rundown of the clauses you'll need:
- Contact details for the data controller i.e., your business
- Your legal basis for processing
- A rundown of the user's rights under the GDPR
- Who else you share the data with, such as third party service providers
- How users can revoke consent to personal data processing
- The categories of data you process, such as names, home addresses, email addresses
- There's no section telling people how they can revoke consent. It should be really simple for people to change their mind.
- You fail to mention what rights people have under the GDPR.
Avoid GDPR fines by drafting your Policy carefully, updating it regularly, and ensure it's visible on your site.
Get Express Consent
Consent is one of the lawful grounds for data processing under the GDPR. However, consent isn't valid unless it's:
- Express: A user takes some positive step, like clicking on a checkbox, to give permission
- Revocable: Someone can easily withdraw their consent
- Specific: It's clear what they're consenting to
Here's an example from the Pets at Home account registration screen that requests consent to send emails to customers:
Minimize the Personal Data You Collect
It's important you don't collect more personal information than you actually need. So, if you're a retailer, for example, you don't need someone's Social Security Number to complete an order.
- Limit the reasons why you collect personal data
- Don't collect anything more than the minimum amount of information you need
Think of it this way. The less data you process, the less you should worry about potential data breaches. For example, the consequences if you accidentally share all the email addresses in your system are potentially less severe than if you leak financial details.
Report Data Breaches on Time
There's one exception: You don't need to report the breach if it won't cause the affected users any harm. So, for example, if a member of staff saw a customer's personal details, but they're not shared, you could be okay.
However, it's easy to get the balance wrong here and assume you don't need to report something when you actually should.
The outcome? Possibly a GDPR fine. Check with the relevant supervisory authority if you're in any doubt whether to report something or not.
Introduce Sufficient Cybersecurity
Article 5(f) states that it's your responsibility to ensure you take appropriate steps to protect personal data.
In other words, you need the right safeguards in place to keep users' data protected. If there's a data leak, you could be fined if you didn't have sufficient cybersecurity in place. Here are some examples of when this might apply:
- You accidentally send payroll information to an unauthorised member of staff, who steals this data and sells it to hackers
- Someone steals data from an old hard drive or device because you didn't dispose of it properly
To be clear, not all organizations require the same safeguards. What's appropriate depends on the size and complexity of your business, and how sensitive the information is. So, a small retailer requires less sophisticated cybersecurity than a medium-sized company handling healthcare data.
But how do you avoid GDPR fines for insufficient cybersecurity? By showing a commitment to cybersecurity that's proportionate for your business.
- Install antivirus software and keep it updated
- Encrypt data you send by email or store in the cloud
- Use strong passwords and multi-factor authentication, where possible
- Destroy data safely before disposing of old hardware
- Use network protection tools
It might be a good idea to ask a managed services provider for help if you're not sure where to start, or how to assess your security.
The GDPR applies to any business offering goods and services to EU citizens, and penalties for non-compliance can be steep. To help avoid these costly GDPR fines:
- Always ensure you have a legal basis for data processing, and communicate it clearly to your users
- Ensure you obtain express consent to personal data handling
- Always report data breaches on time, and take steps to prevent them happening again
- Make sure you have sufficient cybersecurity in place to protect personal data
- Don't collect more personal data than you need
Finally, remember you're responsible for personal data until it's destroyed, so you need secure processes in place for deleting a user's personal information, too.