Receiving a GDPR fine continues to be the ultimate risk keeping most privacy professionals awake at night. In this article, we unpack how GDPR fines are calculated, provide a list of the factors used by DPAs, and detail a worked example to highlight how an organisation’s response to an infringement can significantly mitigate or aggravate the fine issued by a supervisory authority.
The European Data Protection Board (“EDPB”) has recently issued guidance regarding how European Data Protection Authorities should go about calculating fines relating to violations of the EU GDPR. The EDPB had previously issued guidance focusing on the circumstances in which to impose a fine, but detailed guidance on how DPAs can calculate the actual monetary fine have not been available until now. The guidance aims to provide a transparent basis to promote the harmonisation and consistent application of fines by DPAs across the EU.
The EDPB notes that it is not possible to provide a one size fits all precise mathematical calculation for fines (DPAs have considerable discretion in their application of the guidance), but hopes that the document will provide a common starting point and harmonised methodology for DPAs to use when making such calculations.
Although the guidance is aimed at EU DPAs who have the responsibility to determine the value of monetary fines, the guidance gives industry a further insight into what factors will likely play into a DPAs determination of a fine, and what factors can be considered as mitigating or aggravating. This will be especially useful intelligence for data breach or policy violation response planning and analysis (should the need for this ever arise), as companies will be able to use the factors detailed here to guide the response and perhaps even mitigate against the severest of monetary penalties. More proactive companies will be able to use these factors in their risk calculations, guiding investment in mitigations.
- The calculation of fines is the responsibility of the appropriate Supervisory Authority. The EDPB guidance is guidance only.
- Article 83(1) of the EU GDPR provides the overarching guiding rationale on fines, mandating that fines shall be effective, proportionate and dissuasive for each individual case.
- Fines can be determined by weighing a variety of factors, details of which are provided in the below tables. Based on an evaluation of these factors, DPAs can determine an infringement to be of a low, medium or high level of seriousness. This evaluation can give rise to a ‘starting point’ fine.
- DPAs next consider mitigating or aggravating factors, which modulate the ‘starting point’ fine, but can never go beyond the legal maximums under GDPR.
- Finally DPAs analyse whether the calculated final amount meets the requirements of effectiveness, dissuasiveness and proportionality as per Article 83 of the GDPR.
The guidelines are lengthy and extremely detailed. We have extrapolated the most important information into the below figures and tables:
- Figure 1: Overview of the fine calculation methodology. Gives a high level overview of how fines are calculated by DPAs
- Table 1: Factors that determine the level of GDPR fines. All of the factors that the EDPB believe should be weighed by DPAs.
- Table 2: Illustrative example. An example created by Lucid to illustrate how fines might work in reality and how companies can possibly seek to mitigate the severity of fines if needed. Note: The EDPB strongly notes that it is not possible to provide a precise mathematical calculation for fines (DPAs have considerable discretion in their application of the guidance), and so this example should be taken as illustrative only. It is not possible for businesses to calculate precise fines for specific infringements.
Figure 1: Overview of the fine calculation methodology.
Table 1: Factors that determine the level of GDPR fines:
ILLUSTRATIVE EXAMPLE (HYPOTHETICAL FROM LUCID):
- The Context of the Infringement
2. Calculate a starting point
3. Adjust based on turnover
4. Mitigating and aggravating factors: Here we provide two example responses to the infringement, to illustrate how the actions of a company can mitigate or aggravate the DPA response.
5. Final Determination. We continue our example here with the final determination of the fine by checking that the fine is effective, proportionate and dissuasive. In reality at this stage DPAs will have substantial leeway to tailor the fine based on their own judgement, and this will again depend on the specific posture of the particular DPA - some are more aggressive than others.
In practice it is not possible for companies to accurately calculate GDPR fines that they believe are fair and appropriate. This remains the sole responsibility of the applicable supervisory authority, However, this illustrative example can give us an insight into the type of factors that companies can consider when planning responses to GDPR violations.
In our example case, the contrasting actions of the two company responses have changed our example fine by a factor of ten, highlighting the importance of proper privacy management and an effective and transparent organisational privacy culture. It is our experience that supervisory authorities are generally fair and act in good faith towards companies who are subject to investigation and possible enforcement action. Regulators will expect this approach to be reciprocated and will most likely err on the side of leniency for companies who are open, transparent, cooperative and proactive in their response to policy infringements.