As we all know, legislation is of no use if it is not strictly regulated and enforced; and GDPR is of course no exception.  Under the GDPR, each member state is obliged to set up a Data Protection Authority (DPA), to monitor the application of the regulation. The DPA are empowered to issue enforcement notices, assessment notices and determinations; to protect individual’s rights to data protection. The obligations of the DPA can be divided into two parts:

  1. Ensuring that individuals can exercise their rights regarding the protection of their data
  2. Ensuring and monitoring whether the processing of personal data follows GDPR legislation

Under previous legislation, global organisations with establishments in multiple member states dealt with the supervisory authority in each differing country. Supervisory authorities under the GDPR however, will enforce the legislation in a consistent manner across the EU. This has been coined the ‘one stop shop mechanism’; a method to ensure that organisations can deal with cross-border privacy-related issues from their home-bases, and in a way that is consistent across the EU.

Suspicion of a violation

The DPA are entitled to investigate any company that they believe to be suspicious. Should it be deemed necessary, the DPA can order both the controller and the processor to provide any required information; whether it be their stored personal data, or any information needed for the performance of their tasks. This can consist of data protection audits or visits to the premises of the controller or processor.

Confirmed Violation

Under the circumstances that a violation has taken place, there are several penalties at the disposal of the DPA. Firstly, for relatively small breaches, the subject might be issued with an official warning and most likely ordered to bring their processing operations into compliance with the provisions of the GDPR. In circumstances where an individual’s rights have been ignored, the company may be ordered to treat the data in whichever way the subject prefers; whether this be the erasure of personal data or a restriction of processing to meet the data subject’s requests.

As businesses become more digitally connected, their data becomes increasingly valuable. The risks associated with non-compliance can therefore be detrimental. Under the GDPR, organisations that do not comply may be forced to delete all their data and additionally ordered to communicate the personal data breach to all subjects involved. This is likely to result in significant reputational damage, and other disruptive knock on effects.

As defined in the legislation, the severity of the stipulated penalty is dependent upon the corresponding article that has been breached. It has been emphasized however, that the imposing fines must be “effective, proportionate and dissuasive.”

Severe Measures

If the previously mentioned penalties do not lead to the desired result, the DPA are entitled to take more extreme measures. These can span from a temporary or definitive limitation to operating, or in the most extreme circumstances, a complete ban on processing. For global organisations, this may include the suspension of the flow of data to a third country or international organisation. The DPA can also order the complete revocation of a certificate which certifies that their international transfers comply with the GDPR.

Monetary Fines

For the most severe breaches of GDPR, companies may be hit with heavy fines.  The severity of the fine imposed is dependent upon which article has been breached. For the less extreme breaches, the DPA can issue fines of up to 10 million euros, or up to 2% of an organisations worldwide annual turnover of the preceding financial year. Infringements on an organisations obligations (including data security breaches), will be subject to the lower level fines; for example, failing to notify the supervisory authority following a data breach.

In the case of a more detrimental violation, the fine can reach up to 20 million euros, or 4% of the total worldwide annual turnover of the preceding year. In both cases this is dependent upon which one is higher. These fines will be imposed consequence to a breach on an individual’s privacy rights, such as sharing personal data without consent.

So, what can we take away from this?

On the one hand, the one stop shop mechanism will have an extremely beneficial impact upon businesses. With the same legislation across the EU, companies will no longer have to engage with multiple supervisory authorities and can rather rely on their local supervisory authority. On the other hand, it is evident that non-compliance can be detrimental and potentially financially crippling to the extent that it may even put some out of business.

Next month we will be providing insight into the Compensation aspects of the GDPR. If you would like to discuss the GDPR further please get in contact with us via: