The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 after being adopted in April 2016. It creates a single European legal framework in personal data collection and processing standards and supersedes all the previous legislation on this matter such as Wet bescherming persoongegevens – old Dutch data protection law which was repealed on the same date the GDPR came into effect.
The importance of GDPR is that the data can now be transferred around Europe under the same level of data protection. And, of course, it has many features which bring a great improvement from the point of view of an individual whose personal data is being collected, tracked and even sold on a daily basis. As an example – a possibility to prohibit collection and processing of information not essential for provision of services. In the past such ‘extra information’ useful for marketing or sales was often collected without consent (subtly) or under enforced acceptance of terms in a form ‘no consent – no service’. Now such tricks would be a direct and punishable violation of the regulation.
But what is more important, the GDPR applies to anyone who processes personal data in the EU, or of the EU citizens and residents – and in our times when everything is about personal data, in the world of global and transnational business, it inevitably affects companies from outside of the EU.
The GDPR distinguishes two types of bodies working with personal data: ‘controller’ (the one who decides on means and purposes of data processing) and ‘processor’ (who processes it on behalf of the controller). It is to ensure that if there are more than two entities involved, with separation of their role in data processing, none can avoid the responsibility for compliance or liability for damages.
Depending on the type of entity, a lot of internal procedures and rules have to be designed and adopted, such as re-writing legal notices and drafting consents compliant with requirements of the GDPR, ensuring transparency and possibility of data access by the individual, and so forth.
Furthermore, the whole new level of supervision and controlling measures is brought to the data protection area. There are going to be (voluntary) certifications for compliance with the GDPR; associations of ‘controllers and processors’, for example, insurance companies can add a self-regulation by writing codes of conduct.
Furthermore, certain companies are required to appoint a Data Protection Officer (DPO). Apart from the quite clearly defined requirement for public authorities or companies processing special categories of data and data relating to criminal offences or convictions it is not set up unambiguously who else needs to have such DPO, hence there is room for subjective interpretation. Article 37 of the GDPR says that DPO shall be designated in case when core activities of the controller or the processor consist of operations requiring regular and systematic monitoring of data subjects on a large scale. In the financial area of business we can safely assume that a bank or an insurance company must have a DPO. However, it is unclear where the threshold which divides ‘non-large scale’ from ‘large scale’ lies. Until there are additional clarifications, there is no firm ground for making the decision. The European advisory body on data protection and privacy (Working party) in its ‘Guidelines on DPOs’ admits that it is ‘not possible to give a precise number with regard to the amount of data processed or the number of individuals concerned’. There is only one specification – according to the recitals of the GDPR patients or clients of an individual physician or lawyer cannot be considered to be a ‘large scale’.
Still, if you feel you might fall into ‘large scale’ category then it is advisable to make the decision relying on the nature of your operations, common sense and best judgment. Of course, if the resources allow, you can appoint DPO anyway – voluntary compliance with this provision of the GDPR can do no harm, rather improve your processes and help you to identify risks and deficiencies your business might have in the data protection area. Finally, GDPR requires that the contact details of the designated DPO shall be published and communicated to the supervisory authority.
The supervisory authority depends on the country, as each Member state designates its own. In the Netherlands, for example, it is the Dutch Data Protection Authority – an administrative body which previously was tasked with supervising compliance with the old data protection law (Wbp). It has a number of powers under the GDPR, inter alia, carrying out data protection audits, issuing warnings, reprimands and orders to processors and controllers, and imposing bans on personal data processing.
Coming to the topic of penalties for non-compliance with this Regulation, the main point of the GDPR, and, therefore, sanctions which it establishes, is to enforce personal data protection. The beneficiaries of this process are individuals, and the same individuals are the main aggrieved party in case of data protection breach. For this reason, the GDPR gives possibility for any individual (EU citizen or resident) to file a complaint to the supervisory authority. Therefore, your customers might be the first who will report you to the authorities if they think your processing of their personal data violates the GDPR.
Additionally, there is a right to an effective judicial remedy for each individual whose rights under the GDPR were infringed. Interestingly, the supervisory authorities will be informing complainant if there is the possibility of such judicial remedy. Furthermore, any person who has suffered material or non-material damage as the result of an infringement of GDPR can also claim compensation from the company which collected his data.
Finally, there are administrative fines imposed by supervisory authorities on a case-by-case basis. There are two levels of fines: up to 10 million euro or 2 per cent of global (worldwide) revenue; or 20 million euro or 4 per cent of global revenue. The ceiling is set quite high, depending on the group of violations. The fines are supposed to be imposed on the principles of effectiveness and proportionality, and decided taking into account all the factors of the case, including actual impact of the violation.
Not much is known yet on how it will work – this remains to be seen in the future. At this moment, there are no examples of maximal or just large fines being imposed on any company, although some IT-giants have been accused of breaching as soon as the very first day of GDPR’s effect, and there can be a decision on their part in the nearest future.
Even though the maximum amounts will most likely be applied to the giant players with hundreds of thousands and millions of users, accounts and profiles – in cases of huge personal data leaks – the penalty amounts could turn out to be very sensitive for smaller businesses too. If the infringement is real and a fine is just around the corner, then the following can help to reduce its amount:
- Ensure that you have preventive measures in place beforehand. Even if they did not help in a particular case, their existence will be considered in your favor;
- Immediately after a breach or violation was identified, adopt mitigating measures. it is important to remember that it is the damage to the individuals whose personal data you process must be mitigated first and foremost;
- Notify the supervisory authority of the personal data breach – this is directly required by the GDPR to be done within 72 hours (where feasible), unless such breach is unlikely to result in a risk to the rights and freedoms of individuals;
- Cooperate with the authorities; especially, if you received instructions (or an order) from a supervisory authority do all what is necessary to fulfill them – as failure to do so automatically puts you in the group for the higher fine range.
To summarize, if you know that your organization is dealing with personal data but you do not employ or contract a specialist in that area, we would advise you to contact a professional to get a context-based advice for your company on how to better comply with the GDPR and how to be better prepared to any possible incidents.