GDPR: What punishment – and how hard will it be?

When the GDPR was disclosed in early 2016, one aspect caught the attention of companies and organisations like none other: The sheer volume of the fines that ‘controllers’ and ‘processors’ could face if unable to comply with the GDPR. And it is true, actually. Fines have are increased drastically compared to the Data Protection Act from 1998. In this blog post, we take a look a how the GDPR will punish companies that are unable to comply and what you can do about it.    

Punishment from the GDPR

The GDPR sets out a maximum fine of 20 million euros or four percent of the company’s worldwide turnover. According to legal experts, the increase could be the biggest game changer compared to the Data Protection Act. The theory is that companies and international cooperations will be forced to pay attention.

Still, there is an element of consideration in how the fines are meted out. The standard MSP would have to screw up quite royally to trigger fines worth seven to eight figures. Under the GDPR, administrative fines are ‘discretionary rather than mandatory’. It means that they are imposed on a case by case basis and according to the GDPR’s own phrasing administrative fines must be ‘proportionate’. Companies are expected to establish comprehensive, but proportionate governance measures.  

No heavy fine

If you’re careful and committed to comply, you’re probably not going to face a really heavy fine even if a breach or leak were to happen. In fact, the GDPR clarifies that in cases of a minor infringement, a reprimand could be issued rather than a fine.

Factors that will be taken into account when determining if a fine will be disposed (and the amount of that fine) include the nature and gravity the infringement, whether the infringement is intentional or negligent and actions taken to reduce the damage suffered by individuals. The willingness to cooperate with supervision authorities will also be taken into account.

A serious commitment to compliance

This is not to say that ‘controllers’ and ‘processors’ won’t face any punishment as long as they’re not huge international conglomerates and keep a positive spirit about the GDPR. But the idea of Data Protection Agencies handing out fines worth millions of euros left and right is not overly realistic. At least not as long as companies make a serious commitment to compliance, and make sure not to sweep breaches or leaks under the rug. Explicit damage control is another way to lessen fines.    

An interesting aspect of the GDPR is that individuals, who believe that their rights have been infringed, can ask the ‘controller’ to remedy the situation. If the individual does not receive a sufficient answer from the ‘controller’, he or she can decide to file a complaint to the national Data Protection Agency. The Data Protection Agency is required to keep the individual informed on the outcome of the complaint. Now, regardless of the specific outcome, just the right of individuals to make such requests is going to put a strain on companies. And if they fail to provide sufficient answers, Data Protection Agencies will notice. Therein lies one of the more unpredictable elements of the GDPR, and perhaps the greatest risk of committing a violation to most MSPs.   


Three highlights: 

  • The risk of eight figure fines has stolen much attention in regards to the GDPR. However, fines in the range of millions of euros will require very serious violations of the GDPR.
  •  Fines are proportionate and given on a case by case basis. Some infringements will result in a reprimand, not a fine.
  •  The right of individuals to ask for a remedy could challenge companies.