On 3rd October, the Article 29 Working Party (WP29) adopted draft guidelines on issuing administrative fines.
The guidance walks through the factors listed in the Regulation and is unsurprising. There is a heavy emphasis on the need for authorities to be consistent in their approach to fines - 'consistent' or 'consistency' is used 12 times in the paper, 'equivalent' 7 times. This consistency is to apply both to the amount of fines and to the choice of the enforcement method.
GDPR allows fines to be imposed based on the worldwide annual turnover of an undertaking. There has been some speculation as to what an 'undertaking' will mean in this context. Unsurprisingly, WP29 takes a broad approach to this - referring to CJEU case law which interprets an undertaking as an economic unit, regardless of the legal persons involved. WP29 emphasises that in the case of a group, this would mean parent an all subsidiaries.
GDPR suggests that 'minor breaches' may not necessarily result in a fine. WP29 notes that this will always be at the discretion of the authority - but that breaches will be minor if the breach does not go the essence of the obligation and does not pose a significant risk to individuals.
Whether a breach is intentional is one factor affecting the sanction. Here WP29 gives the example of ignoring the advice of an organisations DPO.
WP29 also notes that where an organisation follows a code of conduct, a data protection authority may conclude that enforcement under the terms of the code may be sufficient without further enforcement by the authority.
Lack of resource is not considered to be a mitigating factor.