The General Data Protection Regulation (GDPR) is a difficult piece of legislation to comply with, and not meeting some of its requirements may lead to hefty fines of up to 4% of global annual revenues of the preceding year or 20 million euros, whichever is highest. Organisations may find it difficult to calculate risk exposure when confronted with a potential breach of the GDPR, leading to frustration and often focussing on worst case scenarios only.

The European Data Protection Board (EDPB) recently issued guidelines on how Member States' data protection authorities (DPAs) should calculate fines for infringements. The guidelines follow a step-by-step approach and provide a consistent methodology for all DPAs to follow. Although these guidelines are directed toward DPAs, they also allow companies to assess their risk exposure more accurately and realistically.

How were fines calculated before the guidelines?

Under the GDPR, each European Union Member State has its own DPA responsible for enforcement. These DPAs calculate so-called administrative fines (i.e., fines for violations of the GDPR) based on various criteria set out in the GDPR. In general, DPAs are required to:

Ensure that the fine is effective, proportionate and dissuasive. Consider any aggravating or mitigating circumstances, including intention or negligence, the seriousness of the infringement and the infringer's level of cooperation. Respect the maximum amounts for fines set out in the GDPR.

However, these broad parameters leave much room for interpretation on how fines should be calculated, leading to some uneven application across the EU and requiring lengthy dispute resolution procedures when DPAs disagree with each other on how to apply fines. It also is very difficult for businesses to accurately assess their financial exposure in the event of an infringement. The guidelines attempt to address these issues by introducing a five-step approach for all DPAs to use when calculating fines.

What is the five-step approach?

The five-step approach encourages DPAs to be objective when assessing fines under the GDPR by providing a practical calculation method and specifying a number of factual elements to consider, as follows.

Step 1: Identify infringing activities