May 25 is just around the corner. This is the day when the General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679) becomes enforceable. That is correct: this regulation replaced the 1995 Data Protection Directive on April 27, 2016, but the transition period is now almost over, and it really is time to start worrying about potential penalties for noncompliance and breach.
This European directive is a transnational law that is enforceable on any and all companies that engage with European citizens in business. It matters not where data is kept: if it relates to a citizen of the EU, whether they are German, Polish, Spanish, Irish, or from any of the twenty-eight* member states, the company receiving the data is liable to comply with this regulation.
The regulation provides a single set of rules for data protection regarding EU citizens. It applies to all member states and citizens, whether they are living within the EU borders or as an expat citizen. Yes, that is correct: if you do business with a UK citizen living in Australia, GDPR regulations still apply.
I have waxed lyrical about the scope of the act previously here, here and here, but today I want to concentrate on the penalties that are enforceable against a company.
First, let’s define what information is covered and which companies GDPR will affect.
As to information covered, is it quite broad: it covers not only a person’s basic identity information—such as name, address, and ID numbers (national insurance number, Social Security number, driver’s license)—but also things like web data—location, IP address, and cookie data. It also covers more esoteric information such as health, genetic, and biometric data; racial and ethnic data; political opinions; and sexual orientation. This is quite a broad swath of personal identifying information.
As to the companies it will affect, again this is a broad swath. It covers any company with a presence in the EU and any company that has no presence in the EU but processes the personal data of EU residents. What about SMBs, or companies with fewer than 250 employees? SMBs have a bit of a get-out-of-jail-free card in that they can be exempted if their data collection does not impact the rights and freedoms of the data subject (i.e., if it relates to health, genetic, biometric, racial, ethnic, political, or sexual orientation information) or their data collection is occasional (we service 100,000 customers with our widgets, but Hans from Germany is our only European customer, and he has only purchased from us once). Taking this into account, according to a PwC survey, more than 92% of all U.S. companies could fall under the umbrella of GDPR.
If you are one of the 92%, then YOU NEED TO SHOW YOU ARE COMPLIANT BY MAY 25, 2018.
What if you are found to be noncompliant or suffer a breach after May 25, 2018? Well, the following sanctions, as listed in Wikipedia’s General Data Protection entry, can be imposed:
- A warning in writing in cases of first and unintentional noncompliance
- Regular periodic data protection audits
- A fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions (Article 83, Paragraph 4):
- The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43
- The obligations of the certification body pursuant to Articles 42 and 43
- The obligations of the monitoring body pursuant to Article 41(4)
- A fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions (Article 83, Paragraph 5 & 6):
- The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9
- The data subjects’ rights pursuant to Articles 12 to 22
- The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49
- Any obligations pursuant to member state law adopted under Chapter IX
- Noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)
This sounds quite draconian, you say? Well, we are talking about a person’s identity. Will this be enforced? Very likely. Prior to the enforcement date, a company has been liable for a fine of up to £500,000 ($700,000). After May 25, the fines are 2% of a company’s annual worldwide turnover or 10 million euros for an infringement of Article 83, Paragraph 4, or 4% annual worldwide turnover or 20 million euros for an infringement of Article 83, Paragraphs 5 & 6. However, here is the key phrase in the legislation: “whichever is higher.” This means that an infraction can financially ruin a company if it is considered bad enough to merit a large fine. Now, this may seem harsh, especially for SMBs, but consider this: previous laws have had no teeth. The UK’s largest fine to date was £400,000 ($550,000) to Talk-Talk. This is a company that made an operating profit of £54 million in the year of its offence.
However, the fact is that if the breach is inadvertent, a company will only receive a written warning for the first offense, and then it may be liable for periodic data protection audits over a span of time. If you are prepared for GDPR and have your governance in place, you should be OK.
* Soon to be twenty-seven, not that this will change any compliancy status for transnational companies, as GB citizens will still be covered by GDPR.