With the new European Union General Data Protection Regulations coming into force in less than 12 months in May 2018, it’s understandable that much of the talk about them is about the fines and penalties that can face organisations who do not comply. All indicators are that the Data Protection Authorities (DPAs) will be under significant pressure to actually apply them which means that non-compliant organisations will face the full force of the law. But what are the fines that organisations could actually be subject to?
Category A Fines
These are the fines that deal with the preparedness and administrative failures in implementing a Data Protection compliance program. It includes but is not limited to:
- Not executing a proper Privacy Impact Assessment
- Lacking a designated Data Protection Officer
- Issues with breach notifications to a Data Protection Authority or to data subjects
- Failure to implement GDPR by ‘design and default’.
Category A fines are capped at €10 million or 2% of worldwide annual turnover, whichever is greater.
Category B Fines
These fines address actual breaches and major failures of GDPR compliance. This includes things such as:
- Conditions for consent (in obtaining or processing data, etc.)
- Lawful processing of data
- Right of access by the Data Subject (Subject Access Requests)
- Right of erasure (right to be forgotten)
- Right of rectification (accuracy of legally obtain personal data)
- Processing of a National Identification number
- Obligations of Secrecy
Fines can be up to €20 million Euro or 4% of worldwide annual turnover, whichever is greater.
Member State Level Fines
What many people need to realise is that there is also some scope for individual member states to levy penalties for breaches that are related to the General Data Protection Regulations. These are generally for specific exceptional or criminal breaches and are intended to address those items that are not specially dealt with by the new regulations and allow individual member states to fill in the gaps with their local laws. For example, many member states differ in their definition of consent as it concerns children/minors, and the EU will continue to allow local enforcement and penalties in accordance with those laws.
Also, in some member states of the European Union, there is already precedence for finding company board members personally liable for issues with non-compliance with data protection and data security laws or for being responsible for serious data breaches. It is thought that this will still continue after the implementation of the new European Union General Data Protection Regulations in 2018 and may even become more common as Data Protection Authorities look for ways to dissuade others from failing to comply with GDPR.