Request a Proposal
Compliance Council Location

Latest News

What are the penalties for not complying with GDPR and how can they be enforced?

22 November 2017

The information security management system is going to see a change in EU countries after General Data Protection Regulation will come into force in May 2018. As per EU GDPR, any organisation that has access to the personal data of citizens of EU countries are bound to follow these regulations. It doesn’t matter whether they are located in any of the EU countries or not, their access to EU citizen’s data make them eligible to follow this new set of regulations formed by EU GDPR.

There are certain requirements set by EU GDPR to be followed. If an organisation is unable to follow those requirements, they will be penalised with a heavy fine, depending on the offense.

Read on to know details of the offenses and the fines that will be imposed on the organisations, if they fail to meet the requirements of EU GDPR.

Category 1: Fine of 10m or 2% of global revenues

A company may be charged with a fine of 10 million Euros or 2% of their annual global revenues if:

  • An offense related to child consent. As per EU GDPR, the minimum age for an individual to give consent to access their data has been changed to 16 from 13.
  • An offense related to data procession, storage or security of data accessed. The new requirements oblige organisations to inform consumers about the way data is accessed, stored, and processed.
  • An offense related to transparency of information.
  • An offense related to breach notification. Organisations, according to this new set of regulations, are required to notify EU government in an event of data breach within 72 hours of its occurrence.

Category 2: Fine of 20m or 4% of global revenues

GDPR may penalise a company with a fine of 20 million Euros or 4% of their annual global revenues in the cases of:

  • An offense related to data processing.
  • An offense related to obtaining the consent of an EU citizen. Every organisation is bound to obtain the content of EU citizens to access their data as per the new requirements laid by EU GDPR.
  • An offense related to data subject rights.
  • An offense related to not adhering to the DPR order.
  • An offense related to transfer of EU consumer data to third parties. In case a customer has revoked their consent to access and use their personal data, organisations are bound to stop sharing their data with third party companies.

It is to be noted that an organisation will be charged fine on the higher amount. For example, if their offense falls in the 1st category (as mentioned above), they will be charged either 10million or euros or 2% of their revenues, whichever amount is higher.

EU GDPR requires every organisation that is accessing EU citizen’s data to adhere to all the requirements and regulations set by them in order to secure the consumer right. Therefore, any company, whether it is present in EU countries or not, that has a direct or indirect access to personal data of EU citizens, must follow these regulations.  

GDPR - May 2018