The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. From that date, any business or individual that collects or processes the data of EU residents can be fined for noncompliance with GDPR. There has been plenty of time to implement appropriate policies and procedures to ensure compliance, so a lack of forethought is not a valid defense.
The size of the potential fine for noncompliance has many businesses worried. Since the fines are potentially so high, failing to comply with GDPR and paying the appropriate fines is not going to work out cheaper. A business could receive a hefty fine and would still be required to comply with GDPR, although may have to cease trading in the EU until compliance obligations have been met.
Now that the deadline for compliance with GDPR has passed, any business that has failed to do enough to become compliant ahead of the deadline should be committing additional resources to their compliance program to ensure all provisions of GDPR are satisfied as soon as possible.
What are the Penalties Tiers for Noncompliance with GDPR?
There are two tiers of GDPR fines:
· The first tier carries a maximum fine of €10 million or 2% of global annual turnover, whichever is the greater.
· The second tier carries a maximum fine of €20 million or 4% of global annual turnover, whichever is the greater.
Which tier applies will be determined by supervisory authorities or Data Protection Authorities (DPAs) based on a variety of factors, including:
· The extent of noncompliance
· The implications and gravity of the infraction
· Duration of noncompliance
· Extent of any damage to data subjects
· Actions taken to mitigate damage
· The number of people affected
· Types of data involved
· How the infraction was discovered by the supervisory authority
· The level of cooperation of the business toward correcting any issues
· Past infringements
Member States have the right to impose penalties and individuals impacted by the violation have the right to claim compensation if they have suffered harm as a result of an organization’s failure to comply with GDPR.
What Infringements are Covered Under Each Penalty Tier?
There are many potential violations of GDPR that fall under the first penalty tier. These include but are not limited to errors and failures to comply with the requirement for:
· Integrating data protection by design and default
· Record processing activities
· Security of processing data
· Data Protection Impact Assessments
· Prior consultation
· Certification
· The creation of a Data Protection Officer
· Notifications about breaches of personal data
· Cooperation with a supervisory authority
The second tier includes violations of GDPR relate to:
· The transfer of personal information to an international organization or third country without consent
· Violations of the rights of data subjects
· The failure to adhere to the basic principle for processing data, the processing of personal data without consent, or where there is no lawful reason for processing data
· Unlawful processing of special category data
While fines are not expected to be issued as soon as the deadline passes, investigations can and will be conducted into privacy complaints filed by data subjects and audits of policies and procedures can be conducted.
It is therefore essential to make sure that compliance efforts are accelerated to achieve compliance with GDPR provisions as soon as possible.
Companies that can demonstrate they have made a good faith effort to comply with GDPR, are working toward full compliance, and where the processing of personal data has not caused any harm, may escape with a warning or reprimand instead of a fine. However, certification may be removed until a business can demonstrate they have met their obligations under GDPR.