The Dutch Data Protection Authority just released its GDPR fining policy, being the first country to do so. GDPR allows for a maximum fine of 4 percent of global revenue or €20 million, whichever is higher, but little has been said about how to determine the exact fine amount and what the scale is.
The new GDPR fining policy sheds light on this as it introduces a four category system, giving various examples depending on company size and maximum fine. For example, if a company’s maximum fine is €10 million, it might face the following fines for less severe violations:
- Category I: €0 to €200,000
- Category II: €120,000 to €500,000
- Category III: €300,000 to €750,000
- Category IV: €450,000 to €1 million
BREAKING: Dutch Data Protection Authority publishes #GDPR fining policy: 4 categories, range and basic fine per category, and aggravating or mitigating circumstances. Fine higher than category 4 will only be issued if max category 4 is “not appropriate”. https://t.co/MX734ZryI4 pic.twitter.com/vtjx2ebsLe
— Jeroen Terstegge (@PrivaSense) March 14, 2019
While the Dutch Data Protection Authority doesn’t explicitly state how it’ll categorize GDPR violations, it does share a list of “relevant factors” for determining a severity of a violation. Factors include the duration of the infringement, the number of data subjects (people) affected, how quick the company reacts, and what type of personal data is involved.
Arnoud Engelfriet, IT lawyer and partner at Dutch firm Legal ICT, says the policy brings some much needed clarity to GDPR enforcement. While the GDPR doesn’t strictly require a detailed policy, it does require a fine to be evaluated according to many criteria, so issuing a clear policy like this helps in Engelfriet’s opinion.
“The supervisor is free under the GDPR to issue fines and to categorize them as it sees fit, so you can have four, eight, two, or no categories if you want. As long as you can justify each fine you’re OK under the GDPR,” Engelfriet told TNW.
Introducing categories does, however, make it easier for companies and the general public to understand how GDPR will be enforced. Engelfriet is happy with the introduction of the new policy and says the fine system is set up so that ‘simple’ offenses can be managed with a relatively light fine, thus reducing the number of appeals and making the whole process smoother.
“But if something big happens, they can bring down the full GDPR hammer and fine €10 or €20 million, or 4 percent of worldwide turnover. And this is definitely so for the general rules of GDPR: transparency, easily available rights, and above all, clear documentation on every step you took to become compliant. Because if you’re GDPR compliant but you have no documentation, you’re not GDPR compliant. And that’s a €20 million fine for you then.”
Many have been waiting for GDPR’s ‘real’ impact, as there wasn’t much enforcement in 2018. Experts predict that it will change in 2019, with various investigations coming to a close in the following months, accompanied with the first GDPR fines. Engelfriet agrees that the Dutch GDPR policy is a signal for a GDPR enforcement era: “You wouldn’t set such a policy if you did not intend to issue fines.”
TNW Conference 2019 is coming! Check out our glorious new location, inspiring line-up of speakers and activities, and how to be a part of this annual tech extravaganza by clicking here.