How Severe Are General Data Protection Regulation (GDPR) Fines?
We’ve already been seeing the changes for months now: new, robust cookie acceptance disclaimers, longer and more involved data collection forms and an uptick in fines for U.S. companies operating in the European Union.
Companies in the United States are starting to understand their regulatory responsibilities under EU law, but few actually understand the scope of their obligations. Here, we’ll discuss some of the impacts that GDPR has on U.S. businesses and if that will trickle down to companies of all sizes.
What Are Penalties Under GDPR?
GDPR is known for having a rather uncompromising approach to penalties. Under the law, fines break down into two different categories:
- Tier 1, addressing less severe infringements, will cost a company up to €10 million or 2% of that company’s worldwide annual revenue from the previous year, whichever is higher. Lesser infringements include non-compliance efforts such as failing to adhere to controlling and processing data laws or by certification and monitoring bodies who fail to implement fair, impartial assessments.
- Tier 2, addressing higher infringements, will cost an organization up to €20 million or 4% of that organization’s worldwide annual revenue from the previous year, whichever is higher. More severe infringements include failing to process consumer data property securely and transparently, violating the rights of data subjects for privacy or consent or transferring data to foreign countries or international organizations.
Several criteria also modify these fines under EU law. These criteria include:
- Gravity: The severity of the infringement, including how many people are impacted, the damage suffered, length of resolution and how it happened in the first place.
- Intention: Whether or not the infringement was due to intentional non-compliance or accidental issues.
- Mitigation: Has the organization taken steps to mitigate the impact on data subjects?
- Precautions: How well did the organization implement precautionary, GDPR-compliant measures prior to the infringement.
- History: The organization’s history of compliance and infringements under GDPR and other EU regulations.
- Cooperation: The organization did or did not work with GDPR inspectors and auditors to uncover and address the issue.
- Data Category: The type of data affected in the infringement.
- Notification: How proactive the organization was in notifying officials about the infringement.
- Certification: Whether or not the organization is, or has been, certified under GDPR.
- Mitigating Factors: Any additional issues with the infringement, including financial losses, that might shape how regulators view the infringement.
GDPR regulators will only punish organizations for the most severe violations if all infringements are within the same processing operation. If a company has multiple data sources or serves as an umbrella organization, it could face overlapping penalties.
What Are Some of the Most Significant Cases Ruled Under GDPR Law?
Because of the significant and challenging nature of GDPR and the penalties involved, and the lack of coherence between non-European countries and the EU, some massive penalties have been levied against companies violating GDPR. This has set a precedent for U.S. companies operating in the EU where the latitude provided under the laws of the United States will not play under GDPR.
Some of the most significant decisions made against U.S. companies violating GDPR include the following:
- Amazon: While the details aren’t public knowledge, Amazon was penalized in 2021 for cookie-related violations, suggesting that they were not properly notifying customers about data collection to gain more personal data. Their total fine under GDPR was €746 million–which is much larger than a similar fine levied by France against the retail giant for an additional €35 million for the same issue.
- WhatsApp: In 2021, the EU fined WhatsApp a massive €225 million for allegedly failing to notify customers about specific business processing reasoning—a significant part of GDPR law.
- Google: Until the WhatsApp and Amazon fines in 2021, the 2020 Google decision stood as the largest GDPR fine levied against a U.S. business. For not providing enough information around consent and data collection, Google was fined €50.
- Marriott: A database breach in Marriott’s third-party database (existent for four years before discovery) and an additional failure of the hotel chain in completing due diligence led to the EU levying a €20.4 million fine.
Details aren’t known, but there are several inferences about the fines, including the size of the company, the potential problems with the infringement and the size of the fine.
What Can My Organization Do to Prevent Major Fines and Non-Compliance?
Organizations can do the work to remain compliant, but the truth is that sometimes, things happen. Here are some steps you can take to mitigate non-compliance and minimize fines:
- Perform Regular, Thorough Audits: Do not short-sell your compliance efforts. Work with a partner to conduct audits, undergo regular vulnerability scans and penetration tests, and continually administer risk and governance policies with compliance leadership to ensure that your organization is always on the right track.
- Work With GDPR Officials: Never, EVER hide anything from regulators. Work closely with officials at every step, and include all records, documents, and whatever else the GDPR needs to assess the situation. Complete transparency can go a long way in demonstrating a willingness to fix issues.
- Manage Third-Party Relationships: Under GDPR, having a compliant third-party service provider is part of compliance–but working with such a vendor doesn’t absolve your organization from regulatory requirements. Working with a compliant cloud service provider, for example, can meet immediate compliance needs. Still, if an infringement occurs based on that cloud service (and you cannot prove that the problem is 100% outside of your organization’s control), then you are still responsible.
- Report Problems As Soon As You Know: Don’t try to fix issues or avoid responsibility with non-reporting or wait to report after some important business decision. Reporting as soon as you know shows regulators that the problem wasn’t due to intentional non-compliance and that you want to work to fix the problem.
Avoid Penalties for Non-Compliance with Continuum GRC Audits
Automated auditing has the advantage of speed and provides additional accuracy. Streamlined, automated testing and audits can operationalize your compliance, security and consent strategies in a way that helps you protect your data and maintain standards and requirements.
Preparing for GDPR Auditing and Compliance?
Call Continuum GRC at 1-888-896-6207 or complete the form below.