GDPR Top Ten #7: Data Protection Authority enforcement methods

From May 2018 the European Union will have a new, EU-wide applicable, privacy law: The General Data Protection Regulation (GDPR). This new regulation shall have equal legal force throughout the EU. The GDPR will not only bring several new data subject rights, but it will also introduce a variety of new rules to which companies and individuals must adhere and be able to demonstrate compliance.

What are these rules? What are the ramifications of not complying with these rules? How will this impact your organisation (e.g. financially, strategically, etc.)? And most importantly, how will compliance be enforced?

New data subject rights under the GDPR includes - among others - the right of data portability, the right to restrict processing, and the right to be informed of the right to object to processing by the controllers.

The GDPR sets out the obligation for Member States to set up a supervisory authority; the so called Data Protection Authorities (DPA). The task of these national authorities will be to monitor the application of the Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.
The obligation of the DPA from an enforcement perspective can then be divided into two parts:

1. Monitoring whether individuals can exercise their rights; and
2. Evaluating whether the processing of personal data complies with the rules on processing set out by the GDPR. 

Suspicion of a violation

The DPA will have a variety of investigative powers to find out if a violation exists or not. To investigate a possible violation the DPA can order the controller and the processor to provide any information it requires for the performance of its tasks. The DPA may further request access to all personal data and to all information necessary for the performance of its tasks. An investigation itself may consist of data protection audits, and when necessary the DPA can obtain access to any premises of the controller and the processor, including to any data processing equipment and means. Where it is foreseeable that a manner of processing will not be compliant with the GDPR the DPA can issue warnings to a controller or processor.

Confirmed Violations

If the DPA concludes that a violation has taken place, there are several measures at its disposal. The least intrusive measure is the possibility to issue reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR. If a reprimand is not sufficient, the DPA may also order the controller or processor to bring the processing operations into compliance with the provisions of the GDPR. If a controller or processor has ignored the rights of a data subject the DPA may order them to comply with the data subject's requests to exercise their rights. Moreover, the DPA can order the rectification or erasure of personal data or restriction of processing to meet the rights of data subject. Data driven organisations or organisations that must process data as part of their business model can be severally impacted if forced to delete all their data due to compliance violations. Data for many organisations is seen more and more as the company’s most valuable asset. In the case of a data breach the DPA can order the controller to communicate this personal data breach to the data subject.

Severe Measure 

If severe measures are necessary, for example because it appears that less serious measures have not led to the desired result, such measures are also at the disposal of the DPA. In that case the DPA will have the power to impose a temporary or definitive limitation including a ban on processing. This can have a significant impact on an organisation’s business operations, ability to service its customers and meet its overall business objectives. The DPA may also order the revocation of a certification (which is used to indicate that processing takes place in accordance with the GDPR). Moreover, the DPA may order the suspension of data flows to a recipient in a third country or to an international organisation if applicable. 

Levying of Fines

The most far-reaching powers consist of the imposition of administrative fines. If there is a less serious violation the administrative fines can go up to 10 000 000 EUR (10 million euro), or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. In case of more serious violations this goes up to 20 000 000 EUR (20 million euro) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. These fines are substantial and can financially cripple companies and even put some companies out of business. It is therefore important to fulfill the obligations under the GDPR.