How to Avoid GDPR Fines

The financial penalties for breaching the EU's General Data Protection Regulation (GDPR) can be severe. In 2020 alone:

• GDPR penalties exceeded $191 million
• Data protection authorities around the EU received over 121,000 data breach notifications, which is a 19% increase on figures from 2019

If you're required to comply with the Regulation, then it's crucial you understand how to avoid these costly penalties. Below, we consider in detail how the GDPR works, what the Regulation requires of you, and the steps you can take to avoid financial penalties.

The GDPR

The GDPR gives EU citizens control over how businesses collect, store, and process their personal data. It's one of the most comprehensive privacy laws in the world, and it's designed to strike a balance between:

• The right for someone to protect their data privacy, and
• The need for businesses to hold some personal data to perform commercial activities

The Regulation is made up of 99 legally-binding Articles and 173 Recitals. The Recitals, although not legally binding, help you understand how to interpret the Articles, so you should read them.

Let's now break down the GDPR's key requirements.

Key Definitions

First, let's be clear on how the GDPR defines certain terms. We'll use these terms throughout the article, so it's important you know what they mean.

• Consent: When the data subject (an individual) freely gives you informed, express consent to personal data handling. It's not talking about implied consent. We'll cover the differences below.
• Controller: The person or company in charge of collecting the data and deciding how it's processed, e.g., a retailer.
• Data Subject: The person whose data you're handling.
• Personal Data: Information that can be used to identify an individual, such as their name, IP address, or email address.
• Personal Data Breach: This is what it's called when there's an accidental or deliberate security incident which puts personal data at risk.
• Processing: Any action taken on personal data. This includes collecting, storing, and erasing it.
• Processor: A company or individual responsible for processing personal data on a company's behalf.

You'll find all the key definitions in Article 4 of the GDPR, but these are the most important ones you should know about.

Who the GDPR Applies to

If you process personal data belonging to an EU citizen, the GDPR applies to you.

• It doesn't matter where you're based. If you're selling goods or services to the EU, you must comply with the GDPR.
• It also applies if you run behavioral monitoring or other analytics on EU citizens.

The GDPR doesn't apply, though, if you're collecting data for a purely personal purpose e.g., a home address book. It's only triggered when there's some kind of commercial element involved.

If you're unsure whether or not the GDPR applies to you, it's best to assume it does.

Rights of the Data Subject

The GDPR provides individuals, or "data subjects," with specific rights over how businesses use and collect personal data. They have the right to:

• Understand your personal data practices
• Access copies of whatever data you hold on them
• Amend inaccurate or outdated information
• Insist you delete all their personal data
• Restrict how you process their information
• Request a portable copy of the data
• Object to your processing
• Reject automated processing

The rights are set out in Articles 12 through 22.

Data Processing Principles

In Article 5, the GDPR sets out six principles for data processing, which you must adhere to if you handle personal data:

• Data must be processed lawfully, transparently, and fairly
• Limit the reasons why you're collecting data
• Only collect as much data as you need for a specific, clearly defined purpose
• Ensure the data is as accurate as possible
• Don't store personal data for longer than necessary
• Use sufficient safeguards to protect data

Lawful Basis for Processing

You can't process personal data unless it's justified under one of the following legal grounds. Processing's only legal if you:

• Have the data subject's express consent
• Need it to fulfill a contractual obligation e.g., process an order
• Need it to comply with a legal obligation
• Must use it to protect the data subject's vital interests
• Are acting in the public interest
• Have another legitimate (and justifiable) interest

The grounds are set out in Article 6.

Penalties for Non-Compliance

You won't always be fined for GDPR breaches. It all depends on a few factors, such as how serious the breach is, and what steps you took to mitigate the damage.

For minor breaches, you may receive warnings or other formal reprimands. Otherwise, financial penalties might apply.

Article 83: Financial Penalties

There are two levels of financial penalties: Article 83(4) fines, and Article 83(5) fines.

Which level applies depends on which GDPR Articles you violated. Article 83(4) fines are less severe.

Level One: Article 83(4) Fines

You can be fined up to 10 million Euros or 2% of your global annual turnover, whichever is greater, if you violate Articles such as:

• Article 8: Children's consent
• Article 11: Data processing not requiring identification

Level Two: Article 83(5) Fines

Fines go up to 20 million Euros or 4% of your worldwide annual turnover, whichever is the highest amount. It applies if you violate:

• Basic GDPR principles around data processing, including consent
• Member State GDPR laws
• Restrictions imposed on you by supervisory bodies e.g., you've breached the GDPR before and you've been told you can't collect certain types of data

Steps to Take Now to Avoid GDPR Fines

GDPR violations can be either intentional or, more commonly, accidental. Examples of accidental data breaches include:

• Sending an email containing personal data to the wrong staff member
• Losing a portable device with personal data on it
• Forgetting to upgrade your security software, leading to a hacking attempt

As you can see, it's fairly easy for data breaches to occur, but it's crucial you take steps to stop them from happening. So, to help you avoid inadvertently breaching the GDPR, here are five things you should do now.

Draft a GDPR-Compliant Privacy Policy

You're expected to provide people with simple, clear, and accessible information about your data processing policies. The easiest way to achieve this is by writing a GDPR-compliant Privacy Policy.

Every Privacy Policy must include certain clauses to comply with the GDPR. If your Policy doesn't contain these clauses, for any reason, you could be fined under the Regulation.

Briefly, here's a rundown of the clauses you'll need:

• Contact details for the data controller i.e., your business
• Your legal basis for processing
• A rundown of the user's rights under the GDPR
• Who else you share the data with, such as third party service providers
• Whether or not you use cookies or other tracking technologies
• How users can revoke consent to personal data processing
• The categories of data you process, such as names, home addresses, email addresses

You should also update your Privacy Policy at least once a year, and make sure you publish it somewhere obvious on your website. Good places to place links to your Policy include your website footer, account signup screens, and website checkout pages. You should add it to places where you collect information or request consent for things such as email marketing.

Here's an example from 7 For All Mankind of how to get consent to your Privacy Policy while displaying it to users. You can't sign up for an account without expressly consenting to how your data will be used:

Now we're clear on what you should include, let's quickly run over some common reasons why your Privacy Policy might fall short of these requirements:

• You start using the data for new purposes, but you don't update your Privacy Policy to reflect this. There's a chance users won't consent to the change, which means you could lose your lawful basis for processing.
• There's no section telling people how they can revoke consent. It should be really simple for people to change their mind.
• You fail to mention what rights people have under the GDPR.

Avoid GDPR fines by drafting your Policy carefully, updating it regularly, and ensure it's visible on your site.

Get Express Consent

Consent is one of the lawful grounds for data processing under the GDPR. However, consent isn't valid unless it's:

• Express: A user takes some positive step, like clicking on a checkbox, to give permission
• Revocable: Someone can easily withdraw their consent
• Specific: It's clear what they're consenting to

Here's an example from the Pets at Home account registration screen that requests consent to send emails to customers:

Minimize the Personal Data You Collect

It's important you don't collect more personal information than you actually need. So, if you're a retailer, for example, you don't need someone's Social Security Number to complete an order.

• Limit the reasons why you collect personal data
• Don't collect anything more than the minimum amount of information you need

Think of it this way. The less data you process, the less you should worry about potential data breaches. For example, the consequences if you accidentally share all the email addresses in your system are potentially less severe than if you leak financial details.

Report Data Breaches on Time

Usually, you need to report a data breach within 72 hours of discovering it. The rules are set out in Article 33.

There's one exception: You don't need to report the breach if it won't cause the affected users any harm. So, for example, if a member of staff saw a customer's personal details, but they're not shared, you could be okay.

However, it's easy to get the balance wrong here and assume you don't need to report something when you actually should.

The outcome? Possibly a GDPR fine. Check with the relevant supervisory authority if you're in any doubt whether to report something or not.

Introduce Sufficient Cybersecurity

Article 5(f) states that it's your responsibility to ensure you take appropriate steps to protect personal data.

In other words, you need the right safeguards in place to keep users' data protected. If there's a data leak, you could be fined if you didn't have sufficient cybersecurity in place. Here are some examples of when this might apply:

• You accidentally send payroll information to an unauthorised member of staff, who steals this data and sells it to hackers
• Someone steals data from an old hard drive or device because you didn't dispose of it properly

To be clear, not all organizations require the same safeguards. What's appropriate depends on the size and complexity of your business, and how sensitive the information is. So, a small retailer requires less sophisticated cybersecurity than a medium-sized company handling healthcare data.

But how do you avoid GDPR fines for insufficient cybersecurity? By showing a commitment to cybersecurity that's proportionate for your business.

• Install antivirus software and keep it updated
• Encrypt data you send by email or store in the cloud
• Use strong passwords and multi-factor authentication, where possible
• Destroy data safely before disposing of old hardware
• Use network protection tools

It might be a good idea to ask a managed services provider for help if you're not sure where to start, or how to assess your security.

Conclusion

The GDPR applies to any business offering goods and services to EU citizens, and penalties for non-compliance can be steep. To help avoid these costly GDPR fines:

• Always ensure you have a legal basis for data processing, and communicate it clearly to your users
• Write a GDPR-compliant Privacy Policy and display it prominently on your website
• Ensure you obtain express consent to personal data handling
• Always report data breaches on time, and take steps to prevent them happening again
• Make sure you have sufficient cybersecurity in place to protect personal data
• Don't collect more personal data than you need

Finally, remember you're responsible for personal data until it's destroyed, so you need secure processes in place for deleting a user's personal information, too.