Is Your Website at Risk for GDPR Fines or Penalties?

GDPR

Last updated: 10/18/2018

A rule isn’t much of a rule without a penalty for violating it. That’s a big part of what makes the European Union’s much-publicized General Data Protection Regulation such a big concern for website owners. It isn’t just a set of suggestions for data collectors and processors—violating GDPR rules can mean considerable penalties, financial and otherwise.

What kind of fines and penalties are possible?

GDPR guidelines break penalties for noncompliance out into several tiers depending on the offender and the nature of the offense. For violations classified as “lower level”, organizations risk a fine of up to €10 million or 2% of their organization’s “worldwide annual revenue of the prior financial year,” whichever is higher.

Lower Level GDPR Violations

Lower level violations generally involve rules governing:

  • Data controllers - People or organizations who collect personal data as defined by GDPR
  • Data processors - People or organizations who process data on behalf of a controller
  • Certification bodies - Organizations accredited by a competent supervisory authority or national accreditation body
  • Monitoring bodies - Organizations accredited to monitor compliance with GDPR codes of conduct

Upper Level GDPR Violations

An “upper level” violation can incur up to a €20 million Euro fine or 4% of worldwide annual revenue.

Upper level fines cover a wider range, including violations related to breaches of data subjects’ rights and freedoms:

  • Basic processing principles and user consent
  • The rights of data subjects
  • Transfer of personal data to someone in a third country or international organization
  • Orders from a supervisory authority

What determines the levels?

GDPR guidelines leave the criteria for these classifications fairly vague. Some experts have noted that leaving some leeway allows regulators to offer violators reduced penalties if they commit to compliance, while slapping more serious offenders with the full force of the maximum fine. This could be a useful tool for actually improving data protection across the internet, rather than simply punishing violators.

The criteria for deciding the level of a fine is broken into 10 key points:

  • Nature of the infringement - Takes into account how many people were impacted, what damage they suffered and for how long, and the type of data being processed
  • Intention - Considers whether or not rules were violated intentionally
  • Mitigation - Considers what steps the offender has taken to rectify the situation for data subjects
  • Preventative measures - Looks at what technical and organizational steps were taken before the violation to comply with GDPR rules
  • History - Considers whether the organization has previously violated GDPR standards or any prior data protection regulations
  • Cooperation - Takes into account how well the offender has cooperated with authorities
  • Data type - Considers the specific data involved in the violation, including whether it falls under any of the GDPR’s special data categories
  • Notification - Considers whether the offense was reported to authorities by the organization itself or by a third party
  • Other factors - Takes into account any other mitigating circumstances as determined by authorities

Non-Monetary Penalties

Obviously, the threat of losing up to 4% of one’s annual revenue is nothing to sneeze at, but there are other, less tangible penalties that should also concern any data collector. When it comes to protecting consumer data, establishing and maintaining your users’ trust is obviously a major concern.

Simply put, an organization with a documented violation of GDPR rules has a large strike against it in the eyes of visitors who care about protecting their data and maintaining their privacy. Money aside, not taking GDPR rules seriously just is not worth the reputational risk. It pays to stay on the right side of the GDPR.


Have you automated your GDPR web compliance process? Siteimprove Data Privacy locates the personal data you handle online so you can pinpoint and remove that data across your websites, minimizing the risk of fines and other legal consequences.


Learn more about Siteimprove GDPR