Penalties for non-compliance: GDPR, MiFID II, and PCI-DSS

by José Luis Pérez February 15, 2018
Penalties for non-compliance GDPR, MiFID II, PCI-DSS

2018 – the year of cyber security

2018 will witness a remarkable transformation in the field of cyber security. On 3rd of January, the European Union implemented MiFID II (The Markets in Financial Instruments Directive), a legislation that regulates companies selling services on the market of financial instruments. In February, the PCI Security Standards Council finally closed the 24-month deadline for becoming PCI-DSS compliant, applicable to all companies that store and process credit card data.

And, if that was not enough, the regulation that we have all been anxiously waiting for, the GDPR (General Data Protection Regulation), will finally become effective on 25th of May this year.

Considering the international reach of these regulations, it could be difficult to think of a digital company that won’t be affected by at least one of them. At Cloud Worldwide Services, we take security very seriously, ensuring the compliance of our call recording solution Recordia, as well as our virtual fax service eComFax, through a careful implementation of a secure, cloud-based infrastructure.

But what happens if your organization is not meeting the requirements? Let’s take a look at the penalties for non-compliance that companies might face if they don’t adapt to the standards:

GDPR: Penalties for non-compliance

The General Data Protection Regulation went through four years of preparation before getting passed by the European Parliament. After its implementation in May 2018, all companies that process and store data of EU citizens will have to meet the strict requirements laid out by the European Union. Failure to comply with the General Data Regulation will result in the following penalties:

Category A – these penalties are related to failure in the preparation and administration of implementing a GDPR compliance program. Article 83 includes some of the following failures, among others:

  • Failure to implement appropriate technical and organizational measures;
  • Failure to cooperate with the data protection supervisory authority;
  • Holding personal data when the identification of the data subject is not required;
  • Failure to designate a Data Protection Officer;
  • Problems with breach notifications to Data Protection Authorities.

Failures from this category are subject to administrative fines that can reach up to 10 million EUR (for undertakings) or up to 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher).

Category B – these penalties address the actual breaches and failures related to the incorrect application of the General Data Protection Regulation. According to Article 83, Category B fines include:

  • Failure to ensure the lawful processing of data as described in Article 6;
  • Failure to demonstrate that the data subject has given consent for processing his personal information, or that the consent is valid;
  • Failure to comply with a right to data portability;
  • Processing of special categories of personal data, (for example, data coming from the healthcare sector) without meeting the security conditions;
  • Non-adherence to the six core principles of processing data.

Failures from this category are subject to administrative fines that can reach up to 20 million EUR (for undertakings) or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).

But that’s not all…

The decision for imposing an administrative fine, as well as its exact amount, will be determined through factors such as:

  • The nature and severity of the infringement;
  • Whether it was intentional or negligent;
  • What actions have been taken to mitigate the damage;
  • The degree of responsibility of the processor or controller;
  • Whether the infringement was notified to the supervisory authority;
  • The category of the affected personal data.


Although the European Commission has established the theoretical implications of non-compliance, it is unclear how these rules will work in practice. From all we know, they will probably vary from country to country, and it would be rather rare to see a maximum fine imposed on a company – unless the breach is extremely severe.

In case of a breach, companies should be prepared for risks and penalties that are not necessarily monetary. Lasting damage to the reputation of your brand, additional investment for strengthening security measures, and a compensation for affected customers will inevitably add up to the administrative fines related to non-compliance with GDPR.

MiFID II: Penalties for non-compliance

The Markets in Financial Instruments Directive II (MiFID II) went through 7 years of development before its implementation on January 3rd, 2018. It aims to protect investors by making sure that financial markets operate in the most functional and transparent way possible.

MiFID II emerged as a revision of the European legislation MiFID, which was implemented in 2007. Under the established regulations, companies are required to submit accurate trade and transaction reports to the Financial Conduct Authority (FCA), ensuring the transparency of financial markets.

Although the exact monetary penalties for non-compliance are not yet established for MiFID II, the FCA has previously charged a 1.5 GBP fine per line of incorrect or non-reported data. Depending on the number of non-reported or incorrectly reported transactions, penalties can reach millions of pounds for non-compliance. So far, the biggest fine imposed on a financial institution was suffered by Merrill Lynch, resulting in a 13 million GBP fine.

Here are some of the penalties that have been imposed so far under the first revision of the MiFID directive:

CompanyFine By the dateInaccurate/non-reported transactions
Merrill Lynch 13,285, 900 GBP22/04/201535 million / 121,387 transactions
Deutsche Bank  AG London Branch4,718, 800 GBP28/08/201429.4 million / 0 transactions
Royal Bank of Scotland (RBS)5,620,300 GBP27/07/201344.8 million / 804,000 transactions    
Plus500UK Limited205,128 GBP24/10/20121.3 million (all) / 189,000 transactions    
City Index Limited490,000 GBP20/01/20112 million / 55,000 transactions    

Regarding the implementation of MiFID II, various resources state that companies that are not compliant with the new financial regulations will risk fines of up to 5 million euros, or 10% of the global turnover.

PCI-DSS: Penalties for non-compliance

The Payment Card Industry Data Security Standard, or simply abbreviated as PCI-DSS, emerged as a measure for increasing controls around cardholder data with the purpose of reducing fraud and improving cybersecurity. As of February this year, when the European Commission finally closed the 24-month deadline for becoming PCI Compliant, companies that do not meet the security requirements for processing credit card data face the risk of severe penalties.

Needless to say, failure to work towards compliance will result in recurrent monthly penalties until the merchant meets the requirements.

The amount of the fine depends on the following factors:

  • Merchant Level – this factor is associated with the number of transactions that are processed per year. Thus, the fine will be bigger for companies that should be in compliance with PCI Level 1. Level 4 merchants are also expected to work towards meeting the requirements, but they are not subject to fines.
    • Level 1: more than 6 million transactions per year;
    • Level 2: between 1 and 6 million transactions per year;
    • Level 3: between 20,000 and 1 million transactions per year;
    • Level 4: less than 20,000 e-commerce transactions.
  • The number of months spent in non-compliance;
  • Violation of the PCI infrastructure and failure to address the identified gaps;

Visa establishes the following penalties for non-compliance with PCI-DSS:

MonthLevel 1Level 2
1 to 3$10,000 monthly$5,000 monthly
4 to 6$50,000 monthly$25,000 monthly
7 and on$100,000 monthly$50,000 monthly

Thus, a company that should be on Level 1 of PCI (because it processes more than 6 million transactions per year), and has been non-compliant for more than 7 consecutive months, will be subject to $100,000 monthly fines.

As a part of the compliance process, merchants will be assessed for the correct implementation of the established security measures. If there has been a violation of the standard, or the assessors have identified infrastructure gaps that need to be filled with urgency, failure to address these gaps can lead to the following penalties:

Level 1 & 2 Merchants:

  • First Violation – Up to $25,000;
  • Second Violation – Up to $50,000;
  • Third Violation – Up to $100,000;
  • Fourth Violation – Up to $200,000;

Level 3 Merchants:

  • First Violation – Up to $10,000;
  • Second Violation – Up to $20,000;
  • Third Violation – Up to $40,000;
  • Fourth Violation – Up to $80,000;

However, the penalties for non-compliance with PCI-DSS do not end here. If a data breach occurs as a result of the incorrect implementation of the standard (or the lack of implementation), the Payment Card Industry has established the following consequences:

  • Up to $500,000 per security breach (or more, depending on the case);
  • $50-$90 fine per each credit card that has been compromised;
  • Increased audit requirements;
  • Compensation costs.

Additionally, companies will face non-monetary penalties for non-compliance such as reputation loss, possible lawsuit by clients, loss of trustworthiness, and revenue loss. In 2013, the popular retail Target suffered a security breach fines of 18.5 million dollars, leading to a $440-million-loss of revenue (and 41 million affected customers!).

In the era of digital transformation, marked by an exponentially increasing number of cyber attacks, it is more important than ever to take security seriously. However, complying with the European regulations is not cheap, and many companies are unable to sustain the high costs associated with the creation of a completely secure  infrastructure.

For this reason, a lot of businesses prefer to partner with a third-party provider that is already compliant with the regulations. At Cloud Worldwide Services, we comply with GDPR, MiFID II and PCI-DSS, ensuring a high-level protection for all our clients and solutions.

If you liked this post, you might also consider reading:

Share it!