A Guide to GDPR Compliance

The GDPR (General Data Protection Regulation) which came into effect on May 25, 2018, in brief, is a European Union data privacy law that requires organizations to keep data safe, whilst also giving people more control over how their data is used. Compliance with this law requires a coherent review of all processes in an organization followed by the implementation of a comprehensive change plan. In previous contributions, we paid attention to the steps to be taken in order to achieve an acceptable level of compliance through such a change program.

In this article, we will focus on infringements and fines.

In search of guidance on how to define its own data protection strategy and prioritize data protection measures, a company will naturally want to look at its peers and the competent authorities’ practice. Apart from the lawfulness of each data processing operation, bolstering data security should remain a board room matter for every organization. Litigation of data protection is set to increase in the near future and organizations that maintain up-to-date security measures will be best prepared for the future and be protected from potential litigation.

This article offers an analysis of the provisions cited to support the imposition of fines on GDPR violators. Based on this analysis, in-house legal advisors may be better able to predict which European Union (EU) member countries may take a leading role in enforcement actions and levying future fines under the GDPR. This article may serve as guidance to organizations doing business in the EU. These findings suggest changes in behavior or business location that could reduce both the likelihood and severity of GDPR fines.

During the first year of enforcement, the Data Protection Authorities (DPAs), the independent bodies charged with investigating and enforcing the GDPR, largely followed the European Commission (EC) guidelines for assessing violations and setting associated fines. The guidelines were developed by the EC European Data Protection Board (EDPB), an independent body charged with the consistent application of data protection rules across the EU, and the 28 EU DPAs.

A total of 15 EU Member States brought enforcement proceedings that resulted in the issuance of an estimated 91 fines. The fines levied to date indicate EU DPAs are acting conservatively, generally imposing fines below the maximum allowable under the regulation. Even for more serious violations of data principles and rights, DPAs generally did not impose the maximum allowable fines. In the first year of enforcement, DPAs tended to issue fines in conjunction with corrective measures in what appears to be an attempt to encourage changes in attitude and behavior concerning the protection of personal data.

Under the GDPR, there are two tiers of fines. The lower, tier-one fines — up to €10 million or 2% of the firm’s worldwide annual revenue from the previous financial year, whichever is higher—are applied for less severe infringements. Typically, violations of Articles 8, 11, 25–39, and 42–43 receive tier-one fines. These articles generally address rules governing data collection, control, and processing (i.e., data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction);

The higher, tier-two fines — up to €20 million or 4% of the firm’s worldwide annual revenue from the previous financial year, whichever amount is higher — are applied to more severe infringements. Generally, violations against Articles 5, 6, 75, 9, 12–22, and 44–49 warrant higher fines because these infringements “go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR.”

Germany, Hungary, the Czech Republic, Bulgaria, and Cyprus issued the most fines during the first year of GDPR enforcement. Of these countries, Germany issued more fines than any other EU Member State (about 45), while France issued the highest fine (€50 million against Google). In the coming years, DPAs from Germany, France, the United Kingdom (UK), and Ireland are likely to be among the most influential in terms of calculating and setting fines. The sheer volume of multinational corporations headquartered and/or doing business in these countries suggests the fines issued by these DPAs will be precedent-setting.

Importantly, in late 2015, the European Court of Justice (ECJ) — Europe’s highest court — invalidated the US-EU Safe Harbor Agreement between the EC and the U.S. Department of Commerce. The Safe Harbor agreement was succeeded by the Privacy Shield Framework in 2016, which, along with binding corporate rules and standard contract clauses, allowed for the legal transfer of EU residents’ personal data from the EU to the United States. However, “organizations that self-certified under the Privacy Shield are not GDPR compliant simply by virtue of their self-certification and must take additional steps to document their compliance with the GDPR.” Therefore, an organization that is certified under the Privacy Shield program may not be GDPR compliant and may be exposed to fines and other enforcement actions under the GDPR.

In the future, one country may emerge as the most influential DPA—Ireland. Ireland’s Data Protection Commission (DPC) may play an outsized role among all EU DPAs. Ireland is home to approximately a thousand globally recognized U.S. multinational companies across the financial, information, communication, technology, and pharmaceutical industries. Companies such as Google, Apple, Facebook, PayPal, Microsoft, Yahoo, eBay, AOL, Twitter, all have a presence in Ireland. DPC enforcement actions, therefore, will have an extraterritorial impact on some of the world’s most recognized companies and serve as a model for how the GDPR should be enforced by other EU DPAs. As interpreted by more than one U.S. law firm, this expansive view of jurisdiction under the GDPR leads to the conclusion that a firm not located within the EU “will still be subject to the GDPR if it processes personal data of data subjects who are in the EU where the processing activities are related ‘to the offering of goods or services’ (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or ‘the monitoring of their behavior’ (Article 3(2)(b)) as far as their behavior takes place within the EU.”

EU data regulators focused on four GDPR Articles – Articles 5, 6, 15, and 32 – to substantiate the bulk of levied fines. By far the most frequently cited was Article 5 (principles relating to the processing of personal data). The principles of Article 5 include protecting personal data by ensuring appropriate levels of security to reduce the risk of unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”). Article 5 also ensures personal data is collected in a limited manner, for a specific, explicit, and legitimate purpose. Article 5 violations were cited an estimated 30 times from among the 91 fines levied. Many regulators from across the EU found Article 5 infringements such as failure to process personal data lawfully, fairly, and in a transparent manner; prevent the use of personal data for new purposes incompatible with the purpose for which the data were initially collected; delete personal data; and, prevent indiscriminate access to an excessive number of user data.

In addition, Article 6 (“lawfulness of processing“) was the second most often cited infringement with a total of twelve violations. Under Article 6, lawful processing of personal data requires one (or more) of six factors: (1) obtained consent of the data subject; (2) data processed in the performance of a contract; (3) data processed to comply with a legal obligation of the Member State or EU; (4) data processed to protect vital interests (i.e., interests essential for the life of the data subject or for humanitarian purposes); (5) data processed to perform a task that is in the public interest (e.g., a local government authority using personal data to collect taxes); or (6) data processed where necessary to fulfill legitimate controller (individual or entity that determines the purpose and means of processing personal data, such as a payroll management company) or third-party interests.

Articles 32 (“security of processing personal data“) and 15 (“right of access by the data subject“) were the third most cited infringements with a total of 7 violations each. Under Article 32, appropriate technical and organizational measures must be implemented to ensure security appropriate to the risk including, but not limited to, the pseudonymization and encryption of personal data. Article 15 provides a right of access whereby the data subject may request information about how personal data is being processed. Data subjects have a right to request a copy of the data being processed, the purpose for processing the data, categories of data being processed (e.g., name, address, phone number), and any third-party recipients of the personal data, among others. Generally, regulators tend to levy fines for failures related to the lawful processing of personal data, including security measures to protect personal data.

A review of the types of infringements and associated fines shows DPAs — at this stage — want to change the perception of data protection, to view data as an asset to be protected. DPAs seek to change attitudes and behaviors via both compliance with the rules and, for egregious infringements, application of the stick — the fine. One of the EC guiding principles is that fines should “adequately respond to the nature, gravity and consequences of the breach” and DPAs should “identify a corrective measure that is effective, proportionate and dissuasive.” Neither the guidelines nor Article 83 (“general conditions for imposing administrative fines“) define what is meant by “effective, proportionate and dissuasive” but the guidelines specify that the DPA may consider whether to “reestablish compliance with the rules or to punish unlawful behavior (or both).” As a rule, DPAs did not issue maximum allowable fines, but when they did, they tended to follow EC guidelines.

In accordance with the guidance, DPAs tend to apply higher fines when any one or more of four circumstances are present. First, where “the number of data subjects affected“, and subsequent level of damage, warrants it. For data beaches that are found, for example, that originate from “systemic breach or lack of adequate routines in place” and impact a number of data subjects, higher fines might be levied. For example, the Danish DPA issued a €161,000 fine against a Danish taxi company after an investigation found the company stored personal data of approximately nine million customers without a legitimate reason. Here, the number of data subjects impacted warranted a higher fine.

Second, if there are “several different infringements committed in any one particular case“, the DPA may impose a higher fine and/or prescribe corrective measures. For example, the DPA of France — the Commission Nationale de l’Informatique et des Libertés (CNIL) — characterized Google’s data processing as “massive and intrusive in nature” and levied a €50 million fine against Google in part for violating multiple articles: lack of transparency (Article 5), insufficient information (Articles 13 and 14), and lack of legal basis (Article 6). Though Google is appealing the decision before France’s Supreme Administrative Court, the depth of the fine was in part substantiated by the breadth of different infringements.

Third, “intentional acts or negligence triggers the possibility of higher fines.” The guidance specifies, for example, that “willful conduct on the data controller’s part, or failure to take appropriate preventive measures, or inability to put in place the required technical and organizational measures” weighs into the DPA’s assessment of the level of a fine. For example, the Portuguese DPA levied a €400,000 fine against a hospital as a result of failure to protect patient data, allowing hospital staff to indiscriminately access patients’ data. The Portuguese DPA substantiated the fine by finding violations of three Articles: Article 5 for allowing indiscriminate access to an excessive number of users, Article 83 for violating basic data processing principles, and Article 32 for failing to ensure “continued confidentiality, integrity, availability and resilience of treatment systems and services” and failure to implement “measures to ensure a level of security adequate to the risk.”

Fourth, the “duration of an infringement” is another factor. For example, if data is exfiltrated as a result of a data breach and that data breach goes undetected for a long period of time, the length of time will likely be a factor in determining the damage to data subjects and the resulting fine.

The data supports the conclusion that DPAs largely followed the EC guidelines in assessing and levying fines during the first year of enforcement. Most of the fines were for violations of the aforementioned Articles: 5, 6, 32, and 15. By far the most frequently cited was Article 5 (“principles relating to the processing of personal data“); Article 6 (“lawfulness of processing“) was the second most cited infringement; and, Articles 32 (“security of processing personal data“) and 15 (“right of access by the data subject“) were the third most cited infringement.

Generally, violations against Articles 5, 6, 7, 9, 12–22, and 44–49 warrant higher fines because these infringements “go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR.” However, in the first year of enforcement, fines were generally conservative and did not reach the maximum threshold. As more fines are levied, and some appealed through the courts, the guidelines will need to be updated to reflect current thinking on interpreting the GDPR enforcement provisions. For example, the outcome of the €50 million fine the French CNIL levied against Google will affect how other DPAs assess and apply fines. The outcome also is likely to influence future guidance issued by the EC.

While only 15 EU Member States issued fines during the first year, the increase in DPA budgets and staff suggests many more Member States will be active in the coming years. Addressing data protection complaints, launching investigations, closing cases, and levying fines and/or corrective action are resource-intensive activities. The European Data Protection Board shows France, Germany, Ireland, Italy, Poland, and Spain have the largest staff to support their respective DPAs. While budget and staff are not the only drivers of future GDPR fines, these well-resourced and staffed Member States are likely to be able to process complaints and issue fines more quickly than less-resourced countries. Of these, Ireland’s DPC may play an outsized role among all EU because of the number of large U.S. multinational corporations headquartered or doing business there. The breadth of fines issued by Ireland’s DPC as well as the depth of investigative supporting evidence could serve as a roadmap for other EU DPA enforcement actions.

In October 2017, the EC issued guidelines for DPAs to use when applying and setting GDPR fines. The guidelines were developed by the EC European Data Protection Board (EDPB), an independent body charged with the consistent application of data protection rules across the EU, and the 28 EU DPAs. The guidelines include four principles that shape how the DPAs approach assessing fines:

1. Infringement should result in “equivalent sanctions”

This principle encourages DPAs to apply a consistent approach to their “use of corrective powers” including the “application of administrative fines in particular.” The EU Member States want to “remove the obstacles to flows of personal data within the Union” by ensuring a standard of data protection across all 28 EU countries. The guidance specifies that while DPAs are independent and may choose corrective measures within their authority in accordance with Article 58, DPAs should avoid different corrective measures, including fines for similar cases.

2. Administrative fines should be “effective, proportionate and dissuasive”

Fines should “adequately respond to the nature, gravity and consequences of the breach” and DPAs should “identify a corrective measure that is effective, proportionate and dissuasive.” Neither the guidelines nor Article 83 defines “effective, proportionate and dissuasive” but the guidelines specify the DPA may consider whether to “reestablish compliance with the rules or to punish unlawful behavior (or both).”

3. Individual assessments should be conducted on each case

The GDPR requires an individual assessment of each case (Article 83). The DPAs are charged with investigating complaints on a case-by-case basis within a reasonable period of time and in an impartial, fair manner. This principle calls on the DPAs to “use a considered and balanced approach in their use of corrective measures, in order to achieve both an effective and dissuasive as well as a proportionate reaction to the breach” and “not to use them in a way which would devalue their effectiveness as a tool.” The EDPB issues a binding decision if disputes arise between authorities regarding the existence of an infringement.

4. Administrative fines should be harmonized across EU member country DPAs

In order to attain consistency, DPAs are directed to cooperate with each other and the EC “to support formal and informal information exchanges, such as through regular workshops.” The purpose of the information exchange is to share the methodology used to formulate fines and the practice of applying fines to “achieve greater consistency” across the EU.

In addition to the guiding principles, DPAs are required to consider a number of factors under the GDPR when determining the scope and level of a fine. Article 58 details supervisory authority or DPA powers, including the imposition of administrative fines pursuant to Article 83. Article 83 is significant because it directs the DPA to consider many factors when determining the amount of a fine.

The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, perhaps, visitors.

What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website.

You may be wondering how the EU will enforce a law in a territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms quite frequently. Article 50 of the GDPR addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.

Organizations doing business in the EU (or targeting through their marketing programs EU citizens) are advised to regularly assess their level of compliance with the GDPR. One of the means to do so is the GDPR compliance checklist;

GDPR compliance checklist

• Conduct an information audit for EU personal data

Confirm that your organization needs to comply with the GDPR. First, determine what personal data you process and whether any of it belongs to people in the EU. If you do process such data, determine whether “the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.” Recital 23 can help you clarify whether your activities qualify as subject to the GDPR. If you are subject to the GDPR, continue to the next steps.

• Inform your customers why you’re processing their data

Consent is only one of the legal basis that can justify your use of other people’s personal data. You can find the other “lawfulness of processing” justifications in Article 6 of the GDPR. If you choose to process data on the basis of consent, there are extra duties involved. Finally, Article 12 requires you to provide clear and transparent information about your activities to your data subjects. This likely will mean updating your privacy policy.

• Assess your data processing activities and improve protection

A data protection impact assessment will help you understand the risks to the security and privacy of the data you process and decide ways to mitigate those risks. Next, begin implementing data security practices, such as using end-to-end encryption and organizational safeguards, to limit your exposure to data breaches. When beginning new projects, you must follow the principle of “data protection by design and by default.”

• Make sure you have a data processing agreement with your vendors

You, as the data controller, will be held partly accountable for your third-party clients if they violate their GDPR obligations. So it’s important to have a data processing agreement that establishes the rights and responsibilities of each party. This includes your email vendor, cloud storage provider, and any other subcontractor that handles personal data. You can find a data processing agreement template here.

• Appoint a data protection officer (if necessary)

Many organizations (especially larger ones) are required to designate a data protection officer. The GDPR specifies some of the qualifications, duties, and characteristics of this management-level position.

• Designate a representative in the European Union

Article 27 specifies which non-EU organizations are required to appoint a representative based in one of the EU member states. Recital 80 provides further details about this role.

• Know what to do if there is a data breach

Articles 33 and 34 layout your duties in the event personal data is exposed, whether through a hack or any other kind of data breach. The use of strong encryption can mitigate your exposure to fines and reduce your notification obligations if there’s a data breach.

• Comply with cross-border transfer laws (if applicable)

As with previous EU regulations on the transfer of personal data to non-EU countries, Article 45 of the GDPR retains tough requirements for organizations wishing to do so. You may be required to self-certify under the Privacy Shield Framework.

By following these steps, along with the steps in our GDPR compliance checklist, you can help avoid drawing scrutiny from EU regulatory authorities. The information and guidance we can offer vary from technical review to providing several forms and templates.