What are the penalties for non-compliance?
The GDPR uses a two-tiered approach for administrative fines that may be imposed for violations.
First level fines can be up to €10 million or, in the case of an undertaking (a concept by which the GDPR looks at a related group of companies), up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Level 1 fines will be imposed for violations relating to:
- failure to obtain consent for processing data relating to children;
- failure to integrate data protection by design and by default;
- failure to keep adequate records of processing activities;
- failure to conduct appropriate or adequate Data Protection Impact Assessments;
- failure to notify Supervisory Authority of personal data breach;
- failure to designate a Data Protection Officer;
- failure to certify; and
- failure to cooperate with the Supervisory Authority
Second level fines increase up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Tier 2 fines will be imposed for violations relating to:
- failure to adhere to the basic principles for processing, including conditions for consent and special category data;
- failure to respect data subjects’ rights;
- international transfer of data;
- failure to meet obligations under Member State law adopted under Chapter IX of the GDPR; and
- non-compliance with an order imposed by a Supervisory Authority.
To avoid paying massive fines, businesses should appoint a Data Protection Officer to ensure that the data protection rules are respected in cooperation with the relevant Data Protection Authority.
Contact us for information on our Data Protection Officer outsource services.