The General Data Protection Regulation will go into effect May 25, 2018. As it does, so will the penalties associated with any violations of this multifaceted and complex regulation. Simply put, the fines, described in the regulation as “effective, proportionate and dissuasive” are very harsh.
There are two tiers of fines, which will be applied depending on whether the controller (the company that is using the data) or the processor (the vendor that is processing the data) has committed a violation in the past. And of course, the nature of the violation itself. But don’t be lax: even the lower threshold or tier will prove to be an expensive proposition; it calls for a fine of either 2 percent of the company’s worldwide annual revenue or a fine of 10 million euros, whichever is higher. The higher threshold has a fine of 4 percent of worldwide annual revenue or a fine of 20 million euros — again, whichever is greater.
There is some wiggle room for regulators in what they levy on companies. Intentional violations, naturally, will be dealt with more harshly than negligence. Also if a company is able to show some compliance or efforts to be compliant that may be a mitigating factor in the case of negligence.
Much will depend on the gravity and duration of the violation. In some cases, regulatory authorities can issue a reprimand instead of a fine if the violation is minor and a fine would be a disproportionate burden on an individual. Yes, individuals can be fined under these regulations.
CMSWire has discussed what GDPR means for providers extensively over the past year. This article will give you a deeper look into what happens if you run afoul of these regulations. The following are some frequently asked questions on what potentially lies ahead.
Related Story: What the GDPR Will Mean for Your Bottom Line
Besides GDPR's Financial Penalties What Else Could Be Levied?
There could also be actions brought by individuals who seek redress from companies with deep pockets, says Kevin Gibson, CEO and chairman of Hanzo, “It’s possible this could develop into a situation similar to claims British banks saw for illegal sales of payment protection insurance. In that case, claims ran into the tens of billions of dollars.”
Also reputation damage inflicted by the misuse of personal data will be likely. “An increasing number of consumers will buy from companies who don’t misuse their personal data, or who they feel they can trust with their personal data,” says Gibson.
Will the Data Protection Authorities Really Levy 2-4 percent of an Organization's Revenues?
Certainly the DPAs are not saying — why would they as the rule is a very attention-catching stick. Behnam Dayanim, a partner in the Paul Hastings Washington, DC office, for one, though, does not believe we will see penalties of that magnitude any time soon, if ever. “I think the main implication of creating such an onerous penalty regime is that it provides the regulators enormous leverage in demanding compliance and in negotiating penalties that, although won’t be that steep, will be far steeper than what we are used to seeing,” he says.
He also said that the market will get a better sense of how the DPAs will react after the regulation goes into effect. “Agencies like to be predictable so you’ll start to see over the course of an enforcement history, a pattern of behavior of how regulators are approaching these issues and what triggers higher penalties and what triggers lower penalties,” Dayanim says.
Related Story: How Marketers Can Prepare for the GDPR
Who Will Be First to to Be Penalized by GDPR Regulations?
“I would bet there is a significant breach from a multi-billion dollar company and the European Union will try to make an example out of it,” says Hyoun Park, an analyst at Amalgam Insights. There’s no particularly significant reason to go after smaller organizations that will just warrant a minimal penalty. They will want to make an example says Park, “The EU, I believe, will be looking for a big dog to be taking down.”
Dayanim agrees adding, it is almost a certainty that large US tech companies will be in the regulators’ cross hairs.
What Is Most Vulnerable to GDPR
The outreach provision, Park said — once a breach happens a company has to tell affected parties within 72 hours. “I think that will be a key area that the regulators will be closely watching. It’s a rapid response capability that data and IT personnel have not had to meet for external stakeholders.," he says. Although, he points out that it will be a challenging area for regulators as they will have difficulty in getting proof of a data breach.
How Aggressive Will GDPR Regulators Be When Looking for Non-Compliance?
“I would expect them to be very aggressive out of the gate in assessing compliance, but possibly content, at least initially, with issuing warnings and demanding corrective actions rather than levying huge penalties absent something egregious,” Dayanim says. He also adds that the enforcement of GDPR is vested in the individual national Data Protection Authorities. Due to this we can expect that some countries will take more of a hard line approach and resort to penalties more quickly than other countries.
Which Countries Will Impose the Harshest Penalties?
It is hard to predict with precision but Germany has been among the most doctrinaire when it comes to data protection generally, including enforcement, according to Dayanim. “I would expect the German authorities to be among the more aggressive or assertive," he says.