GDPR Regulators Announce Fines Coming by Year’s End
The GDPR Regulation
On May 25, 2018, the General Data Privacy Regulation (GDPR) went into effect in the European Union. The purpose of this regulation is to protect the privacy of EU citizens by clearly defined the responsibilities of organizations processing user personal data and the fines and other penalties that can be levied on an organization for non-compliance.
The GDPR affects any organization that is processing the data of EU citizens, regardless of the location of the organization’s headquarters or data processing facilities. This means that multinational companies like Facebook, Google, Apple, etc. fall under the jurisdiction of the EU regulation.
Enforcement of the GDPR is overseen by the European Data Protection Supervisor (EDPS). The EDPS has a variety of enforcement powers ranging from taking an advisory role to levying fines of up to 4% of a non-compliant organization’s global revenues or 20 million Euros, whichever is greater.
The GDPR Announcement
On October 9, 2018, the current European Data Protection Supervisor (EDPS), Giovanni Buttarelli, made a statement to the press that the first fines levied under the GDPR regulation are likely to occur before the end of 2018. The announcement also stated that the enforcement actions taken by the end of the year will not be limited to levying fines on organizations. Some non-compliant organizations may receive bans or other administrative penalties. This announcement (and the levying of fines) is significant since it demonstrates that GDPR regulators are willing and able to penalize organizations that fail to comply with the regulation.
How This Affects Your Organization
The first organizations to be fined under GDPR have most likely already had cases filed against them. The introduction of the new regulations has caused a dramatic increase in the number of filed complaints for privacy violations. In the first six weeks of the new regulation (May 25 through July 3rd), approximately 6,300 grievances were filed just within the UK. The number of grievances filed in France and Italy alone has increased by over 50% since the regulation came into effect. The sheer number of filed complaints means that any new violations detected are unlikely to be fined before the end of the year.
How Should Your Organization Respond?
The best way to protect your organization against being fined due to GDPR non-compliance is to know your responsibilities under GDPR and what does or does not constitute an infraction under the new regulation. This is important for both proactive protection against infractions and knowing whether or not a potential cyber incident is a reportable offense under the GDPR regulations. Many of the current reports to GDPR authorities are not actually violations and knowing this fact can reduce strain both on your organization and the regulators.
Understanding the GDPR regulations and how they affect your company is essential to compliance with the regulation. If you are unsure how GDPR affects your organization or whether or not a potential breach is reportable violation, it’s important to seek expert guidance.
Sword & Shield is uniquely qualified to perform your GDPR assessment based on our ability to get to know your organization, systems, processes and documentation, and apply this information to GDPR using our compliance expertise. We have a team of GDPR experts that can help your organization identify if and how GDPR applies to your company, conduct incident management and determine if a cybersecurity incident is a reportable violation under GDPR.