GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly. Here’s what every company that does business in Europe needs to know about GDPR.
What happens if my company is not in compliance with the GDPR?
The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. However, most of the fines imposed so far have been relatively small.
According to GDPR Enforcement Tracker, the EU has issued 282 fines as of May 29, 2000. The vast majority of those fines are in the low thousands and tens of thousands euro range. The largest fine has been against Google, imposed in January for €50 million, according to DLA Piper’s GDPR Data Breach Survey from January 2020. That fine was issued for lack of transparency and valid consent.
Regulators have admitted that they do not have the resources to handle the volume of reported breaches they’ve received, so it will take time for identifiable precedents to be established. Adding to that uncertainty is the perceived inconsistency of applying fines among the different ICOs. “Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question,” said Patrick Van Eecke, chair of DLA Piper’s international data protection practice, in the company’s report.
For now, the ability to show a good-faith effort to comply should protect companies from harsh penalties. In a speech in 2018, Liz Denham, the UK information commissioner, had this to say to organizations concerned about GDPR fines:
“…I hope by now you know that enforcement is a last resort…. Hefty fines will be reserved for those organizations that persistently, deliberately or negligently flout the law. Those organizations that self-report, engage with us to resolve issues, and demonstrate an effective accountability arrangement can expect this to be a factor when we consider any regulatory action.”