This is the final post in a series of 4 on GDPR. Part 1 covered who is subject to GDPR requirements, Part 2 identified data security requirements, and Part 3 covered how organizations should prepare.
In this post, we’ll look at penalties for non-compliance.
The GDPR gives new power to data protection authorities. Compared to its predecessor, the Data Protection Directive (95/46/EC), the GDPR gives data protection authorities more investigative and enforcement powers and the power to levy more substantial fines to organizations not in compliance.
Previously, each member state was free to adopt laws in accordance with the principles of the Directive, which meant that there were differences in the way each member implemented and enforced the principles of the Directive. The GDPR is a regulation that applies in all member states of the EU. It provides a new one-stop-shop regulatory framework for the investigation of complaints and enforcement of the GDPR requirements.
Under this framework a member state’s supervisory authority will operate in one of three roles:
Lead Supervisory Authority – will act as the lead supervisory authority for the controllers and processors whose main establishments are located in its member state. This will permit a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority.
Local Authority – may deal with complaints or infringements that only affect data subjects in its member state.
Concerned Authorities – will act when data subjects in their member state are substantially affected and will cooperate with the lead supervisory authority for the matter.
This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to data subjects residing within their territory.
How is the fine calculated? Article 58 provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including:
- The nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them)
- Whether the infringement was intentional or negligent
- Whether the controller or processor took any steps to mitigate the damage
- Technical and organizational measures that had been implemented by the controller or processor
- Prior infringements by the controller or processor
- The degree of cooperation with the regulator
- The types of personal data involved
- The way the regulator found out about the infringement
The greater of €10 million or 2% of global annual revenue:
If it is determined that non-compliance was related to technical measures such as impact assessments, breach notifications and certifications, then the fine may be up to an amount that is the Greater of €10 million or 2% of global annual revenue from the prior year.
The greater of €20 million or 4% of global annual revenue:
In the case of non-compliance with key provisions, regulators have the authority to levy a fine in an amount that is up to the GREATER of €20 million or 4% of global annual turnover in the prior year. Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.
The key word is “greater”. This generates the most concern for those who must comply with this regulation. Many global companies have annual revenues in the tens of billions.
Let’s look at an example. Company A generates €30 billion in revenue in 2017 and in 2018 it is found to have transferred personal data to a third country that lacks the appropriate safeguards to protect that data. The relevant supervisory authority will have the power to levy a fine of €1.2 billion (4% of €30 billion), which is far more than €20 million. While 4% fines will be reserved for only the most flagrant violators, even a 1.5% fine – €450 million in our example – could make a material difference to a company that will also be dealing with pressure on its business from bad press and a loss of market trust.
What does this all mean? The time to start planning for GDPR compliance is now. May 2018 is not as far off, and time-consuming investigations and hefty fines may loom on the horizon. Once you discover and inventory your data repositories and sensitive data you can begin to better scope your readiness project.
For a free GDPR data security consultation, contact one of our security experts here.