Wojciech Maciejewski
Wojciech Maciejewski

GDPR Series, Part 4: The Consequences of Non-Compliance

The GDPR Gives Data Protection gives Authorities More Powers

In comparison to the Data Protection Directive (95/46/EC), the new regulation grants data protection authorities more investigative and enforcement powers also in imposing fines.

In the past, the Directive allowed member states to freely introduce and execute its laws which in consequence resulted in massive differences in the way member states implemented and enforced the Directive. GDPR will be introduced similarly all across the EU.

New Investigatory Framework

The GDPR establishes a brand new regulatory framework for the investigation of complaints na execution of regulations. According to this framework, supervisory authorities in member states will work in one of three roles:

  • Lead Supervisory Authority: will act in such a role for the controllers and processors who are located in its member state. Controllers and processors will rely on the instructions and enforcement procedures from a single supervisory authority.

  • Local Authority: it may deal with violations that affect only subjects in a member state.

  • Concerned Authorities: they act if data subjects in their member country are severely affected. To solve the matter, they will work together with the lead supervisory authority.

This framework was designed to assure across-EU enforcement model maintaining flexibility in cases adequate only to data subjects in a given territory.

How is the fine determined?

According to Article 58 of GDPR, the supervisory authority gets the power to impose administrative fines under Article 83 on the basis of a few factors, such as:

  1. The nature, gravity and duration of the infringement (e.g., how many people were affected and how severe the damage was)

  2. If the infringement was intentional or negligent

  3. If the controller or processor took any steps to minimize the damage

  4. If any technical and organizational measures have been implemented by the controller or processor

  5. Previous infringements by the controller or processor

  6. The extent of cooperation with the regulator

  7. The sort of personal data involved

  8. The way the regulator learned about the violation

Amount of the financial penalty

  1. More Than €10 Million or 2% of Global Annual Turnover

  2. In a case of non-compliance related to technical measures, for example, impact assessments, breach notifications and certifications, the fine may reach more than €10 million or 2% of global annual turnover (revenue) from the prior year.

  3. More Than €20 Million or 4% of Global Annual Turnover

  4. If the non-compliance is due to the violation of key provisions of the GDPR, regulators may impose a fine which exceeds €20 million or 4% of global annual turnover from the prior year.

Such a fine can be caused by noncompliance with the fundamental principles of data processing, infringement of the rights of data subjects and the data transfer outside EU to countries and organizations that don't ensure data protection.

How does Grey Wizard protects against fines mentioned by GDPR?

Grey Wizard decreases the risk of data leaks by protecting your infrastructure and internet environment against hacking attacks. Grey Wizard protects websites and web applications from data leaks.

Andrzej Prałat
Wojciech Maciejewski

For media

Provide us with contact details.

Thank you