If you’re an IT professional working for a company based in Europe, you’re probably pretty familiar by now with the General Data Protection Regulation, legislation that was enacted in 2016 by the European Union and is aimed at protecting the privacy of EU citizens’ personal data. It expands on the Data Protection Directive of 1995, which it replaces.
The GDPR is a complex, multi-part regulation and compliance generally will require the implementation of a set of solutions that work together to meet all of the requirements that apply to your particular organization. Whether your org is considered a controller (the entity that collects the data) or a processor (such as a cloud services provider that processes data on behalf of a controller), failing to comply with the applicable GDPR requirements can have significant consequences.
Before I go into what some of those can be, I want to insert the standard disclaimer here: I am not a lawyer, this article does not constitute legal advice, and it’s highly advised that you consult an attorney who specializes in GDPR compliance for an analysis of whether the measures your organization has taken and/or plans to take bring you into full compliance with the GDPR.
Who has to comply?
If your organization is based in the United States or another country outside of the EU, you might think the GDPR is something you don’t need to worry about, but chances are you would be wrong. If your company does business with residents of the EU – whether or not they are paying customers and whether or not they are citizens of an EU country – or collects or processes the personal information of EU residents or even just tracks their web-browsing habits with cookies, it’s likely the GDPR applies.
When do you have to comply?
Although the GDPR was enacted more than a year ago, the EU regulators (European Parliament, EU Council, and European Commission) recognized that it would take time for organizations to put the necessary measures into practice, so they built in a grace period. Enforcement takes effect in May of 2018, giving organizations some time to assess and plan what they need to do in order to comply with the requirements.
What happens if you fail to comply?
The consequences of failure to comply are the focus of this article, but the answer to that question, at the time of this writing (September 2017) is that nobody knows for sure. The Regulation lays out maximum penalties, which differ depending on the type of offense. It also provides that all penalties are to be “effective, proportionate to the offense, and dissuasive.” But what does that mean?
In some circles, a state of fear has been created around the GDPR. Headlines in the tech and business press scream dire warnings that the deadline is coming at us like a freight train, with the implication that if an organization isn’t in absolute, one hundred percent compliance at the stroke of midnight on May 25 of next year, it will face apocalyptic consequences.
It’s in the interests of journalists to over-sensationalize the possible penalties in order to draw in more readers, and it’s in the interests of the many companies that are selling GDPR compliance solutions to overstate the ramifications in order to sign up more customers, but what is the real story?
To be sure, the GDPR – like all governmental acts that regulate business – is a serious matter and shouldn’t be ignored. One of the significant differences between the Directive and the GDPR is that the latter greatly increases the maximum fine amount – up to €20,000,000 (which, at the current exchange rate at the time of this writing, is equal to $23,881,000 USD) or up to four percent of the company’s annual “global turnover” for the preceding year, whichever is greater.
“Global turnover” refers to total revenues, net of taxes. For a corporate giant such as Apple, Amazon, Microsoft, Google, Samsung, or Exxon Mobil with annual revenues in the billions, that four percent represents a tremendous amount of money.
The scare stories tend to lead with these big numbers, but it’s important to remember that a) many companies don’t make enough money for the four percent to apply, and especially b) the amount of fine – if any – that is actually imposed will be dependent on a number of different factors. Article 83 of the GDPR addresses in detail the conditions for imposing administrative fines, and specifically names factors that are to be taken into consideration:
- The nature, gravity, and duration of the violation
- The categories of personal data that are affected
- Previous violations
- Intent or negligence
- Actual harm done and efforts to mitigate the damage to data subjects
- Degree of responsibility of the controller or processor
- Certifications and adherence to codes of conduct
- Reporting of the violation
- Cooperation (or lack thereof) with authorities
In addition, the €20,000,000 maximum applies to the higher of two tiers of violations, which includes more serious offenses, such as those pertaining to the rules for obtaining consent, data subjects’ rights, rules governing data transfer, obligations to member states, and violation of an order.
The lower tier of violations has a maximum fine limit that’s half that of the upper tier: €10,000,000 or two percent of annual turnover. Some violations that fall into this category include:
- Notification of a data breach to the data subject whose personal data was impacted
- Notification of a data breach to the supervisory authority
- Failure to properly designate a data protection officer (when required)
- Certain conditions surrounding obtaining a child’s consent
It’s interesting to note that Denmark and Estonia are different in regard to the penalties. Their own national laws don’t permit them to impose the administrative fines prescribed by the GDPR but fines can be imposed through their court systems.
Given all this, it’s by no means certain that your organization will be hit with a huge fine if it doesn’t manage to comply with every single aspect of the Regulation by May 25, particularly if you can show that you’ve made a good faith effort to do so and the violation hasn’t caused harm to someone.
Article 58 provides for the issuance of warnings and reprimands in addition to or instead of the imposition of fines. You could also have your certification withdrawn, or be ordered to take a action to carry out one or more of the obligations under the Regulation.
Who decides what (if anything) you’ll pay?
Fines are assessed by supervisory authorities, or Data Protection Authorities (DPAs). These are the entities appointed to implement and enforce the European privacy laws in each member nation. This is not new with the GDPR; the Directive that came before it addressed the appointment, responsibilities, jurisdiction of DPAs, providing that each DPA enforces data protection law at the national level and is also tasked with providing organizations with guidance regarding how the privacy laws are to be interpreted.
The roles and responsibilities are generally the same after the replacement of the Directive with the GDPR. Article 51 of the GDPR requires that “each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation.”
Both the Directive and the Regulation require that the persons acting as DPA must have the skills and experience necessary to perform the role and be subject to a duty of professional secrecy. The GDPR adds that each DPA must be created through a transparent procedure, although such procedure isn’t described.
DPAs have a great deal of power in enforcing the GDPR. They are authorized to hear claims brought by data subjects, investigate alleged violations of the GDPR and to institute legal proceedings against violators. They are required to keep records and publish reports of their activities and enforcement actions.
DPAs operate independently, but they also work together, with the head of one supervisory authority per member state making up the European Data Protection Board (EDPB). The primary task of the Board is to ensure consistent application of the Regulation across the EU states. Chapter 7 (Articles 60-76) is all about cooperation and consistency and this is where the Board’s responsibilities are defined.
Because each nation has its own DPA, this can complicate matters if your organization processes personal data across multiple EU countries. You would generally only deal with a DPA if your organization has been reported to have engaged in a serious violation of the privacy law. In that case, your legal representatives should have experience in EU privacy law in general, the GDPR in particular, and dealing with DPAs.
If the GDPR applies to your organization – and it probably does if you collect any sort of information about anyone who resides anywhere within the EU – you can’t afford to ignore it. Hefty fines, while not automatic, are a possible consequence. But don’t panic; the GDPR isn’t quite as scary as you might have thought. Its purpose is to protect the privacy of personal data, not to hand out harsh punishment to companies that are making an honest effort to comply.