The maths behind GDPR fines
The Conference of German data protection authorities DSK has proposed a model for calculating fines.
All details have not yet been published but the model is understood to consist of a number of steps.
- Step 1 involves establishing a daily rate by looking at the aggregate global annual revenue of the entire group of the offending company.
- Step 2 is a severity level assessment. A range of multipliers is determined for minor, average, severe or very severe breaches. The multipliers are then applied to the daily rate which gives a range of possible fines. The median value of that range is then taken to the next step.
- In step 3 the nature of the offence and consequences are considered, such as duration and nature of the offence, number of affected individuals and the extent of harm. Scores from 0 – 4 are assigned and used to determine any resulting increases or decreases.
- Step 4 considers culpability and conduct and allows for increases of up to 300% for repeat offenders and reductions of up to 25%.
- In the final step, aggravating or mitigating factors are considered and an assessment is made whether the fine is effective, proportionate and dissuasive.
The model, which is championed by the authority in Berlin, is reported to have gained interest with the European Data Protection Board.
Those in favour of the model defend that a transparent and systematic fine calculation model will certainly be welcomed by the private sector and regulators. Those sceptical about it question if it is fit to be proportionate and adapt to every scenario as well as raising concerns that the use of this model could lead to higher fines for companies with higher group income.
How this programmatic model will operate in the different legal systems remains to be analysed and may bring some challenges (for example, determining how the model will take into account binding case law and precedent in those jurisdictions where jurisprudence is a source of law).
In any case, any fine that is not effective, proportionate and dissuasive can be subject to judicial review.
Share this blog
- Adtech & martech
- Artificial intelligence
- Cloud computing
- Complex & sensitive investigations
- Cryptocurrencies & blockchain
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- KLick DPO
- Open banking
- Software & services