How high are GDPR fines, and how can you avoid them?

With the looming presence of the EU’s General Data Protection Regulation (GDPR) getting closer and closer, companies are scrambling to assure their businesses are in compliance with it and safe from being penalised in the face of a new era of digital governance.

One of the main double-takes companies have had is toward the sheer amount and high level of penalties the new law is ready to instil if businesses fail to protect their users accordingly, especially in the face of a breach.

Organisations that fail to adhere to GDPR or that slip in the face of a data breach are liable for a €20 million or 4% global annual turnover fine. A hefty sum that is keeping all organisations on their toes and prepared to hire the best in cyber and data security to assure this does not happen.

The current cap on financial penalties sees up to £500,000 in fines for organisations that breach the Data Protection Act of 1998. The increase is a bold statement for the re-evaluation of the value of data, finally combating the relaxed limitations of the past which allowed tech giants like Facebook to override them and profit from unregulated use, exchange and exploitation.

Article 83 separates penalties for breaches in two tiers, the lower one being a maximum fine of €10 million or 2% global annual turnover, and the higher tier a maximum fine of €20 million or 4% global annual turnover. The lower tier fines will be administered to organisations who violate agreements relating to the integration of data protection ‘by design and by default’. This includes keeping records of data processing, working with data regulators, communicating personal data breaches to users involved and designating the position or tasks of the data protection officer, to name a few.

Higher fines will be for more serious crimes, such as the overstepping of data subjects’ rights and freedoms, not complying to basic principles with regard to the handling of personal data and non-compliance with a prior order or restriction imposed on the company’s ability to process data.