It is very easy to panic once you read the articles of the GDPR on fines (Articles 58 and 83). The figures are huge and the list of potential infringements is quite long. The anxiety is understandable. Fines are something most companies would rather avoid, and the precise guidelines on how to accomplish that are always welcome.
Consistency in Fines
Fortunately, the Article 29 Working Party has been quite busy lately. Their latest report is actually aimed at the supervisory authorities (SAs). However, businesses should carefully review these guidelines, as they are an indicator of how the supervisory authorities will behave.
The WP29 aims to ensure consistency in sanctions across the EU as a whole, so the authorities should adhere to this document. Note that under the GDPR, there is a markedly stronger requirement for consistency than what has been the case so far under the DPD.
Again, concrete case studies and examples are still missing, but we have learned plenty.
The Sanction Criteria
As we thought, the SAs will consider several aspects of an infringement in order to determine the appropriate sanctions. No two cases are thus unique. But there are several key factors they must consider.
The Nature and Gravity
The more serious the offence, the harsher the punishment, all other things being equal. The list of infringements is exhaustive and there should be no surprises there. Minor infringements could result in a reprimand instead of a fine.
So, what affects the gravity of the infringement? The major factor is the number of individuals affected. If several infringements occur at the same time, expect a larger fine, too. The SAs should take the purpose of processing into account, likely to determine whether the appropriate safeguards have been followed.
The level of damage suffered by the data subjects is also taken into account.
Duration and Intentionality
The longer the infringement lasts, the greater the chance of it being intentional. At least, that is the stance of the SAs, and to be honest, it has some merit. An infringement gone unnoticed for a few weeks could be excusable, but if it goes on for months, that’s simply irresponsible.
That’s an indicator that technical measures are simply not adequate in that company, and that prevention is lacking. The authorities don’t make allowances for observing good security practices. They are obligatory; everyone is expected to adhere to those minimum standards.
Then again, such infringements can be unintentional. Human error happens often and SAs will have the discretion to assess whether that has been the case. Prior history will aid them in their efforts.
Note that acting contrary to the DPO’s advice is considered intentional. Such infringements will carry high penalties!
‘Redemption’
If a business has done everything they can to contain the fallout and minimise the damage of their infringement, the authorities will take that into account. Businesses should promptly notify the authorities when they become aware of any infringements. This will be a strong mitigating factor.
Timely response could help your buiness reduce the total fine even if you were found guilty of an infringement. That’s why it always pays to respond quickly and aim to minimise the damage to the affected individuals. Repeat offenders will suffer more severe punishments.
The authorities will also assess the level of organisational security measures and the existence of strong data protection policies when determining the degree of responsibility for an infringement.
In other words, if your company does what is reasonably expected to prevent infringements, and yet they occur, you can expect a markedly reduced fine. It is wise to cooperate with the authorities as much as you possibly can as well.
Subsidiaries
Of note to larger companies – especially multinationals – the main company is responsible for the infringements of its subsidiaries. The ‘global turnover’ provision applies to the turnover of the parent company as well when the fine amounts are being determined. A large company thus cannot ‘hide’ behind a shell company with low turnover and pay fines capped at €20 million.
Conclusion
The WP29 guidelines will be of use to all data processors and controllers (businesses). The mitigating and aggravating factors are clearly listed, and you can use their assessment sheet as a set of guidelines for good practice.
The key points are:
- It pays to be honest and contact the authorities as soon as possible
- Try to mitigate any damage that others suffered as a result of your infringement
- Evaluate your security practices to detect infringements before it’s too late
- Always listen to your DPO.
By observing these guidelines, even if you do get fined, it will be a slap on the wrist compared to exorbitant amounts that serial and deliberate offenders will get saddled with.
