Note: This is the fourth of an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalities, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
May, 25, 2018 is right around the corner.
As we get closer to the big date, businesses and organizations that operate within the European Union (EU) or maintain personal data of EU citizens will come under enforcement and penalties from the General Data Protection Regulation (GDPR).
Exactly how the GDPR will be enforced can best be described as vague at this point. We know that there will be penalties with any transgressions or lapses in the protection of data. Organizations must attempt to understand how enforcement will be handled so as to avoid any of the penalties that could follow.
When it comes to enforcement of GDPR requirements, nobody is 100% certain. One factor effecting how it will be enforced is the fact that there are many member states within the EU and each will be enforcing data protection themselves. Some countries will lean heavy to data protection while other will possibly be a little more forgiving as they lean towards the facilitation of global business. Enforcement will also be measured based upon certain criteria: Nature of infringement, Intention, Mitigation, Preventative Measures, History, Cooperation, Data type, Notification, Certification, and “Other” — meaning other mitigating factors such as impact on the firm for the infringement. Once it has been determined that an organization has failed to meet the standards set forth in the GDPR, penalties will be levied.
Penalties will be classified into two different levels of infractions and penalties: Lower level and Upper level. Lower level infringements will be met with a penalty of up to 10 million Euros or 2% of worldwide annual revenue for the prior financial year, whichever is higher. Examples of infractions that would be considered “Lower level” include infractions related to Controllers and Processors, Certification, or Monitoring. The second level of infringements, “Upper level”, come with penalties of up to 20 million Euros or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
Infractions that would garner the Upper level designation include infractions pertaining to basic principles for processing which include conditions for consent, Data subjects’ rights, Transfers of personal data, Obligations to a Member State law, or non-compliance with an order of a Supervisory Authority.
While how the GDPR will be enforced from one Member State to another across the EU could be vague or inconsistent the penalties for infractions are anything but vague. The penalties that will be levied for either Lower or Upper level infractions have the ability to gravely impact any business. No organization or business can approach GDPR with blinders without an expectation of potentially devastating financial penalties for infractions related to GDPR. It will be imperative that businesses take a stance of staying on top of requirements of GDPR and be in tune with how it is being enforced.