The European Data Protection Board (‘EDPB’) recently released its Guidelines on the calculation of administrative fines under the General Data Protection Regulation (‘GDPR’). The new Guidelines provide a clear roadmap how Supervisory Authorities will calculate GDPR fines moving forward.
These Guidelines aim to harmonize the methodology Supervisory Authorities use to calculate fines and include harmonized ‘starting points.’ In this regard, three elements are considered, namely the categorization of infringements by nature, the seriousness of the infringement, and the turnover of a business.
In addition, the Guidelines set out a 5-step methodology for calculating administrative fines. These include identifying the processing operations, determining the starting point for the calculation of the fine, evaluating the mitigating and aggravating circumstances, identifying the legal maximums of fines, and lastly the requirements of effectiveness, dissuasiveness and proportionality are assessed.
The EDPB emphasizes that calculating a fine is not a mere mathematical exercise. The circumstances of the specific case are the determining factors leading to the final amount, which can be any amount up to and including the legal maximum.
The Guidelines also underscore the importance of effectiveness, proportionality, and dissuasiveness when determining fines. This means that fines should not only be suitable for the infringement but also act as a deterrent for future violations.
The degree of cooperation with the Supervisory Authorities are regarded as a mitigating factor when determining the fine and this therefore means that organizations should have clear procedures in place for responding to data breaches and working with Supervisory Authorities.
The Guidelines will also consider the turnover of organizations when calculating fines. This means that organizations with lower turnovers could potentially face lower fines. However, the impact will still be significant.
Repeated infringements can lead to higher fines. Organizations should therefore have procedures in place to learn from any infringements and prevent them from happening again.
Does your organization require assistance with its data breach procedure? Contact us, the Experts in Data Privacy, at firstname.lastname@example.org