The Regulatory Imperative of the GDPR, Part 2

DRIVERS FOR INTRODUCING THE GDPR

The GDPR is one element of the European Commission's Digital Single Market priority, which is aimed at moving from 28 national markets to a single market that is designed for the digital age. The new regulation makes a contribution toward this priority in a number of ways, two of which are worth calling out:

  • Firstly, it both modernizes (takes account of the rapid and significant technological developments of the past two decades) and harmonizes the legal framework for data protection across the EU, removing the nuanced implementation approaches that flourished under the previous Directive. With one law on data protection across all 28 member states, organizations no longer have to manage different data protection approaches per market. The European 
  • Secondly, there is now a level playing field for organizations related to data protection. Essentially, the test of applicability has shifted from whether the organization is domiciled within an EU market to whether the data collected or processed relates to an individual natural person who is domiciled in an EU market. If so, the principles of data protection apply regardless of where the organization is based.

COMPLIANCE REQUIRED BY MAY 2018

The new regulation was published officially in early May 2016, and was effective immediately with implementation required by all affected organizations by May 25, 2018. This means that organizations now have less than 18 months (as of the publication of this white paper) to comply with the data protection provisions of the regulation and, as noted previously, lack of physical presence in the Union is not grounds for exemption. The transition period has already begun and is now one quarter completed.

SIGNIFICANT FINES FOR NON-COMPLIANCE

The regulation has global impacts with a real bite attached. Organizations found in breach of the requirements can be subjected to a range of administrative interventions, as well as a two-tiered financial penalty regime: a €10 million fine or two percent of global revenue (whichever is the highest), or a €20 million fine or four percent of global revenue (whichever is the highest). Those numbers can become quite large, quite quickly. For example, one of the banks in the United Kingdom suffered a data breach of personal data during 2016, and if this had been subjected to the financial penalties regime of the GDPR, could have seen a fine approaching £2 billion, in addition to the indirect financial and non-financial impacts including reputational damage.

In ascertaining the amount of any fine to apply, Article 83 of the GDPR makes clear the intent is that it should “be effective, proportionate and dissuasive.” Any fine must be calculated in light of multiple factors, including the nature, gravity and duration of the infringement; the presence of negligence, organizational and technological mitigations in place; the categories of personal data affected; and whether the organization itself notified the supervisory authority of the infringement. Article 83(2) lists 11 separate factors for a supervisory authority to evaluate when setting the level of the fine, with Articles 83(4) and 83(5) specifying the types of infringements that fall into the two-percent and four-percent regimes, with infringements on the basic principles for processing, data subjects' rights, and transfers of personal data falling under the higher fine regime. The four percent/€20 million fines also relate to Article 58(2), whereby the controller/processor is non-compliant with an order by the supervisory authority.

Any organization currently holding personal data on EU residents essentially has one of two choices: cease doing business with EU residents (and permanently delete or fully anonymize all currently held personal data), or proactively comply with the requirements of the GDPR. A third option of doing the bare minimum required will heighten the risk of falling foul of the regulation, and increase the likelihood of being subject to significant fines. Even if your organization can pay any fine levied under the GDPR, doing so does not get you any closer to protecting the personal data of EU residents, and if you want to stay in business after paying the fine you will then need to take the more proactive approach available now.

Requirements of the GDPR, Part 1