Not Ready to Comply With GDPR? consider the Penalties
We know, from our first blog, that even if your business or association does not reside in the European Union (EU); you may still get hit with fines if you are not GDPR compliant. But what do those fines look like? And who decides the fine?
GDPR Gives New Power to Data Protection Authorities
The GDPR gives data protection authorities more investigative and enforcement powers and the power to levy more substantial fines than its predecessor, the Data Protection Directive (95/46/EC.)
Under the directive, each country was free to adopt laws in accordance with the principles in the Directive, this meant that there were differences in the way each country implemented and enforced this directive. Unlike its predecessor, GDPR is a regulation that applies in all member states of the EU.
The GDPR provides a one-stop-shop regulatory framework for the investigation of complaints and enforcement of the GDPR requirements. Under GDPR, each country's supervisory authority will operate in one of three roles:
- Lead Supervisory Authority: will act as the lead supervisory authority for the controllers and processors whose main establishments are located in its country. This will allow a controller or processor to rely on the guidance and enforcement procedures of one single EU supervisory authority.
- Local Authority: deals with complaints or infringements that only affect data subjects in its country.
- Concerned Authorities: they will act when data subjects in their country are substantially affected and will cooperate with the lead supervisory authority for the matter.
The model will provide a uniform, cross-EU enforcement model that provides individual countries flexibility on matters that deal with data subjects residing within their territory.
Factors in Calculating the Fine?
Article 58 provides the supervisory authority with the power to impose administrative fines under Article 83 based on several factors, including, but not limited to:
- The nature, gravity, and duration of the infringement (how many people were affected and how much damaged did they suffer?)
- Whether the infringement was intentional or negligent.
- Whether the controller or processor took any steps to lessen the damage.
- Prior infringements by the controller or processor.
- The degree of cooperation with the regulator.
- How the regulator found out about the infringement.
The Greater of €10 million or 2% of Global Revenue
If the supervisory authority determines that non-compliance was related to technical measures such as impact assessments, breach notifications, and certifications-- the fine may be the GREATER of €10 million or 2% of global annual revenue from the previous year.
The Greater of €20 Million or 4% of Global Revenue
If the supervisory authority determines non-compliance with key provisions of GDPR, regulators have the authority of levying a fine that is the GREATER of €20 million or 4% global revenue from the previous year. This would be the case when companies are non-compliant to the core principles of processing personal data, infringement of the rights of the data subjects, and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of protection.
The "Greater" of the Two
The word "greater" generates the most concern for those who must comply with this regulation. Global companies usually have annual revenue of tens of billions.
For example, Hooli Inc., generates €40 billion in revenue for 2017 and in 2018 It is found to have sold personal data to an international organization that lacks appropriate safeguards to protect the data. The supervisory authority will have the power to levy a fine of €1.6 billion (4% of €40 billion,) which is far more than the possible €20 million fine. While 4% fines will be reserved for the most flagrant of violators, even a 1.5% fine--€600 million in our example-- could make a big difference to a company that will also be dealing with pressure on its business from bad press and loss of market trust.
What Does all This Mean?
The time to start planning for GDPR compliance is now. May is very close, and time-consuming investigations and hefty fines may soon be a part of your business's day-to-day. Once you discover and inventory your data repositories and sensitive data you can begin to better scope your GDPR readiness project.
BroadPoint can help with GDPR readiness, give us a call.