Back in May 2018, the world watched anxiously as the European Union implemented its much-anticipated General Data Protection Regulation (GDPR). Fear of huge fines loomed as businesses scrambled to figure out what documentation was needed and how to re-orient their processes to comply with the regulation. And then … not too much in the way of repercussions was seen.
The fact is that handing out fines is an investigative process that takes some time. But, the time has come. The biggest GDPR fine ever was just handed out, and that’s just the starting point.
How do GDPR fines work?
In case you’re not familiar with the regulation (review our Complete Guide to GDPR here), companies that do not follow the rules are subject to hefty fines. Maximum fines can be up to €20 million or 4% of worldwide annual revenue – whichever is higher.
Supervisory agencies have been identified in each of the EU member nations with their function being to monitor GDPR compliance. To ensure consistency in terms of how the regulation is applied throughout the member states, an overarching body, called the European Data Protection Board, was also established. Together, these serve as official authorities responsible for the oversight of data handling practices and their legality; they offer advice and counsel, accept violation reports, investigate claims and hand out consequences when necessary.
Another important point to keep in mind is that, while large fines may be headline grabbing, they are not the only possible outcome that can result from an infraction.
Supervisory authorities look at many factors when determining if a company has violated the GDPR and what the resulting consequence will be. For instance, supervisory authorities examine:
- how severe the infraction was,
- how likely it is that a data breach could expose customer records,
- what steps the company has taken to ensure compliance,
- how long the infraction was in effect, and even
- how well the company cooperated in addressing the claim with the supervisory body.
Another important point to keep in mind is that, while large fines may be headline grabbing, they are not the only possible outcome that can result from an infraction. Other actions that the supervisory boards are permitted to take include issuing warnings, withdrawing certification, or forcing a company to cease data processing activities.
So, have supervisory authorities taken action yet?
Yes! The largest fine under GDPR was just handed out this past week to tech giant Google. CNIL, the French supervisory authority, found Google guilty of failing to provide enough information about data consent and not giving users control over how their data was being used. Google was fined €50 million (nearly $57 million). That would be a crippling sum to some businesses; however, based on their 2017 revenue, Google could have been facing a fine of more than $4 billion.
And, it’s not only France that’s ramping up its quest for compliance. Portugal also issued its first fine under GDPR this week. The Centro Hospitalar Barreiro Montijo was fined $400,000 because personnel who were not physicians had been given access to confidential patient information. Again, the sum is a fraction of what the fine could have been, so there’s no need to panic.
For business owners, complacency is no longer an option; it's time to take heed of all aspects of your data handling processes.
Fines are being handed out with what seems to be proper investigation. However, if you aren’t able to demonstrate that you’re working towards GDPR compliance, you could certainly be hit harder. The mechanisms are in place and active now.
For business owners, complacency is no longer an option; it’s time to take heed of all aspects of your data handling processes. If you’re not sure what to do, get help. If you think there’s room for concern, fix it. But, make sure you don’t become the next Google France; after all, no one wants to pay out €50 million when it could have been avoided all together.
Read more about how OTRS can be your partner in making GDPR compliance easier.