By the time the General Data Protection Regulation (The GDPR) enters into force on May 25, all companies must ensure compliance with its provisions, otherwise they open themselves to huge fines from the regulatory authorities.
The benefits of the GDPR are numerous. It will provide a better level of protection for users, but businesses will enjoy a more stable regulatory environment. A single piece of legislation will apply to the entire EU, so there will be no uncertainties with regards to data processing activities.
This is a step forward from the current tangled web of regulations where each country had their own rules, making expansion and doing business between EU member states a nightmare. This was especially true for modern tech companies that absorb and process huge amounts of data.
The rules for increased data portability will have a marked effect on fostering competition between companies. Smaller startups will be able to attract new users much more easily than before, as even the large players will have to transfer data when requested.
Administrative fines can be levied by the regulatory authorities. Every EU member state will appoint one lead authority that will oversee all data protection practices in that country. The offenders can be punished according to the provisions of Article 83 of the GDPR.
Two levels of fines exist. The lower level is EUR 10 million or 2 % of the global annual turnover for the preceding year. A higher level is issued for serious fines, and is double the lower level: EUR 20 million or 4 % of the global annual turnover in the preceding year, whichever is larger. A maximum fine won’t be issued in every case of infringement; however it remains a possibility for repeat offenders.
In addition to fines, your company can also be sued by individuals who have been wronged in your data breach, in addition to getting fined.
Degree of Infringement
Fortunately, most infringements will carry a lower tier of fines. These includes a failure to implement the appropriate security measures, a failure to obtain reports and keep written records, non-cooperation with authorities and not designating the official privacy reps (such as data protection officers).
Grave infringements are punished with the highest tiers of fines. These infringements include a failure to adhere to the basic principles for processing and consent, violating the rights of data subjects, ignoring previous regulatory orders, and failure to report breaches and maintain proper records.
Circumstances of your infringement also matter. If you have been cooperative and did everything you could to minimize the damage, then you are likely to get off with a much smaller fine, or perhaps only a warning. It also helps if you had a clean slate up to that incident and if your breach or infringement was unintentional.
Overall, we expect the GDPR not to cost you too much, and the authorities probably won’t go guns blazing when it comes to fines. Just make sure you are taking the right steps to compliance and you should be all set.
Visit us at GDPRInformer.com for more great tips and articles to prepare for the GDPR. Our extensive knowledge base will certainly help you!