After the GDPR Deadline: What Will Enforcement Look Like?
The European Union General Data Protection Regulation (GDPR) gives data protection authorities the ability to issue substantial fines for non-compliance with the privacy law starting two weeks from now at the end of May. However, it is currently unclear under what circumstances the regulators will choose to unleash the authority that they have been given, particularly with so many companies still moving towards GDPR compliance.
There are a wide range of options available to regulators, and just as companies are struggling with the substantial changes of the new privacy regulation, the regulators will likely also be struggling with it. One of their biggest challenges, in addition to the potential volume of necessary investigations, will be to set appropriate penalties for companies during the first few years of the GDPR as they attempt to improve the data privacy of EU citizens fairly.
For some of the EU authorities, the GDPR is a substantial deviation from their current scope and authority. Reuters recently published a survey that indicated many of the data protection authorities will lack the funding and authority to fulfill all of the duties given to them by the GDPR. Nevertheless, the inadequate preparations of some of the countries does not mean that businesses can let down their guard and many DPAs will no doubt see intentional noncompliance as an opportunity to deliver a message to organizations that have not yet begun sufficient preparations despite the two year grace period.
There are a broad range of options for regulators in addressing compliance with the law, and we will likely see a variety of them exercised in the first few years in order to deliver a message to those who have made insufficient preparations as well as reward those who made sufficient efforts but simply fell short in execution.
On the higher end of the penalty scale, in addition to the substantial fines which are well known among compliance and privacy professionals, there is also the potential for other serious penalties up to and including the deletion of all of the data that was collected or used without sufficient GDPR compliance. Regulators may not start with such draconian measures, but they are out there and a risk for organizations that are not in compliance.
If the GDPR follows the path of the United States’ Foreign Corrupt Practices Act (FCPA), the cost of the penalty may not be the worst part about falling into the crosshairs of regulators. Under the FCPA, which targets bribery of foreign officials and lax accounting, the corporation’s defense against the government investigation of the suspected FCPA violations can cost substantially more than the fines themselves. Companies have spent hundreds of millions of dollars to investigate potential noncompliance and change their practices in light of what has been discovered, costs in substantial excess of the fines that were ultimately issued by the United States government. It would not be surprising if the GDPR follows a similar path, with substantial legal and compliance burdens whenever the government opens an investigation.
The uncertainty of fines as well as the potential costs of defending against government investigations has no doubt driven changes at many of the largest corporations ahead of the GDPR deadline in two weeks. Some of the largest companies have spent more than $10 million in order to bring their organization’s data privacy and protection practices into GDPR compliance so that they may continue operating in Europe. Other businesses have decided that the risk of fines and compliance is too high and instead opted to cut off all business with EU citizens, move outside the European Union, or shut down products where there was a high risk of an enforcement action.
Recent surveys of business executives have found that there is another group that simply isn’t going to be ready for GDPR until 2019 or later. Whether these businesses have decided that they are willing to accept some risk of GPDR fines, or they simply do not have the resources to move so quickly on a compliance issue, the survey results are unclear on this point. Nevertheless, it makes it likely that there will be plenty of opportunity for the regulators to exercise their authority if they would like to do so.
In light of the law’s pending implementation and the question of enforcement , the United Kingdom Information Commissioner’s Office (ICO) has issued a Draft Regulatory Action Policy for comment by the public over the next two months. The ICO is the Data Protection Authority in Europe and an active publisher of information for businesses operating in the UK about its interpretations of the GDPR and how to comply with it.
The ICO draft identifies criteria that the agency will consider in determining its enforcement approach, and thus provides insight into what companies can expect from other regulators as well. These criteria include:
- the nature and seriousness of the breach or potential breach;
- the categories of personal data affected and the level of privacy intrusion;
- the number of individuals affected and any exposure to physical, financial or psychological harm;
- whether the issue raises new or repeated issues;
- gravity or duration of a breach or potential breach;
- whether the issue is one that may occur across a group or sector if unaddressed;
- cost of measures to mitigate any risk, issue or harm;
- public interest in regulatory action;
- whether another regulator has taken action; and
- the expressed opinions of the European Data Protection Board.
Additional potential aggravating or mitigating factors that may be taken into account if relevant include:
- whether the attitude and conduct suggests intentional, wilful or negligent compliance;
- whether relevant, advice, warnings or guidance from the ICO or DPO has or has not been followed;
- any action taken to mitigate or minimise the damage suffered;
- whether certified under Article 34 of the GDPR and followed or failed to follow the approved code of conduct;
- the prior regulatory history of the organization;
- the vulnerability of any individuals affected;
- the availability of protective or preventative measures and technology;
- whether the organization notified the ICO of the issue; and
- any financial benefits gained or losses avoided directly or indirectly by the organization.
There is no guarantee that other data protection authorities take the same approach but it is probably a reasonable assumption that other regulators will put in place similar criteria in order to face the challenge of GDPR enforcement. Companies that are looking to assess their risk of a substantial fine for noncompliance with the law should discuss with their legal counsel the various factors identified by the ICO and determine their own level of risk.
The publication of these factors unfortunately does not mean that businesses which do not face a lot of them will be safe from enforcement. The guidelines are still a draft and can be changed based on public feedback or future developments. We will continue to monitor the guidance of the regulatory authorities as well as the early enforcement actions and investigations to stay on top of this important issue.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If California Consumer Privacy Act compliance in 2020 is on your radar, ask us about our CCPA software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.