Since the GDPR is a universal piece of legislation, applying to the whole EU, the privacy regulations will be harmonised among all member states. This means that the bulk of the adjustment will have to be completed just once, with only small tweaks and quality assurances to be taken from that point onwards.
Compared with the previous legislation, the Data Protection Directive, the authorities now have more comprehensive rights to investigate. The potential fines have also increased. Generally, fines will be levied by the lead supervisory authority; i.e. the supervisory authority in the country where the company is based (where their main establishment is located).
The supervisory authorities are the main point of contact between the company and the law. Basically, they serve as regulators and supervisors. The supervisory authorities coordinate with one another so as to ensure a consistent standard across the whole EU. It remains to be seen whether ‘regulator shopping’ will be feasible, especially for large companies. The European Commission emphatically stresses that such a thing will not be possible.
Friend or Foe?
In either case, the supervisory authorities can carry audits, demand and review certifications, require information for any investigations and must be notified any infringement. If any infringements are found, the authority can issue warnings, reprimands, or in worst cases, impose administrative fines. But besides the fines, the authority can order that the organisation immediately cease with or limit data processing, or in the case of data flows to a third country, suspend those flows. Authorities can also prevent the issue of certificates by the certification bodies. Upon order by the authority, the organisation must notify its users of any data breaches that might have occurred.
‘Carrot and Stick’
In a way, the GDPR follows a tried and true formula. Supervisory authorities have plenty of tools in their disposal to ensure compliance, with fines being the most crucial of all. The goal is to increase compliance by making it much more expensive not to do so. The easiest way is to ensure that the fines are a big deal. And big deal they are.
Depending on the severity of the transgression, the administrative fines imposed by the supervisory authorities can range from EUR 10 million or 2 percent of total annual global turnover to at least EUR 20 million or 4 percent of total annual global turnover. The greater figure applies – if 4 percent of annual turnover proves to be larger than EUR 20 million, the company will pay more. For example, a company with a turnover of EUR 1 billion will have to pay EUR 40 million if they are fined with the highest possible fine.
Not All Violations Are Equal
Of course, the principle is that for minor violations only small fines are issued. In most cases, with good cooperation and for first-time offences, it is reasonable to assume that supervisory authorities will only issue warnings or reprimands. In fact, the same is stated in the GDPR: if the fine would present a disproportionate burden to a natural person or if the infringement is minor, warnings can be issued.
It Pays to Play Nice
When determining the penalty to be issued, the supervisory authorities are allowed to pay regard to various mitigating (or aggravating) circumstances. These include the nature of the violation, intentionality, negligence, duration, previous violations, adherence to the codes of conduct and the manner in which the authority came to knowledge of the violation.
It is obvious that the fines will be lower, if any, if the organisation promptly notified the authorities, and if they took all the necessary steps to mitigate any possible damage that might have occurred. An organisation with a clean sheet is likely to get off scot-free for minor infringements.
No Rest for the Wicked
However, negligence or attempts to hide the extent of the damage; or bad practices in the company that led to data breaches or other grave violations, especially if the company had already been fined, are certain to carry maximum penalties. As stated above, it remains to be seen whether all the authorities (28, one in each EU member state) will be consistent in the application of the GDPR, as they should be.
These administrative fines do not in any way limit other liabilities or further criminal penalties; however, this does not belong to the domain of the GDPR. Still, the organisation should never be fined twice for the same transgression. It remains to be seen to what extent the additional criminal penalties will be laid down by the member states without violating the ‘ne bis in idem’ principle. Note that member states can also deprive the organisation of profits made by and while intentionally breaking the GDPR in a criminal process. Any rules for criminal sanctions are to be set at the discretion of each member state.
The first tier of fines, up to EUR 10 million or 2 percent of global turnover, are levied for most kinds of violations. These include:
- failure to obtain parental consent for child users
- inappropriate record-keeping
- delays in notification of irregularities
- failure to appoint a data protection officer
- improper vetting of data processors
- lacklustre measures for implementing safety by design
- noncompliance with the codes of conduct and certification requirements, etc.
In a nutshell, most of these violations are related to administrative measures, notifications, data storage, and transparency.
The second tier, up to EUR 20 million or 4 percent of global turnover, is reserved for the most egregious of violations. These include
- failure to obtain consent for data processing
- infringement on the users’ privacy rights
- unlawful processing
- noncompliance with a previous order from the supervisory authority, and
- unauthorised (illegitimate) transfer of data to third parties, especially outside the EU.
No More Slaps on the Wrist
Many data protection and privacy authorities have spoken up about the need for a more serious and comprehensive punitive regime if privacy violations are to be deterred. It looks like we have finally got such a package with the GDPR. If all goes well, however, the companies fined will be few and far between, especially if the authorities decide to ‘make an example’ of consistent violators. That’s a big ‘if’ that we wouldn’t count on.
The intent of this article is not to create a proverbial ‘bogeyman’, but to illustrate the possible consequences and costs of negligence and improper safeguarding of data; skimping on ensuring compliance could come back to haunt your organisation… with interest. Or, you might be lucky and enjoy the savings without a single problem or a complaint. But is such a risk worth taking?