GDPR Supervisory: there's more to enforcement than just fines
The 'other' enforcement powers of the Supervisory Authorities
Since May 25th the GDPR applies throughout the EU. Whilst there is still work to be done for many organisations, the focus of the preparations will quickly shift. Organisations will need to consider how to prepare for regulatory action taken by the authorities. In a series of upcoming blogs we’ll dive into a number of GDPR enforcement topics, the role of the supervisory authorities and how our Privacy Response Team can help your organisation prepare.
By Shay Danon and Nathalie McNabb - 1 June 2018
- Entering a new phase
- More than just fines
- Investigative and corrective powers
- Privacy response team
Entering a new phase
Since May 25th the long-awaited General Data Protection Regulation (GDPR) applies throughout the European Union. Whilst there is still work to be done for many organisations, the focus of the preparations will quickly shift. Organisations will not only need to ensure that their processing activities meet the GDPR’s standards but will also need to consider how to prepare for regulatory action taken by the authorities. From now on, the supervisory authorities in Europe will take on their roles in monitoring and enforcing the application of the GDPR. In a series of upcoming blogs we’ll dive into a number of GDPR enforcement topics and what the role of the supervisory authorities is here. These blogs will also explain more on how Deloitte’s dedicated Privacy Response Team can help your organisation prepare for enforcement activities.
There's more to enforcement than just high fines
It’s difficult to say anything about GDPR enforcement without mentioning the strong sanctioning powers granted to supervisory authorities. With their mandate to impose fines of up to 4 % of an organisation’s annual worldwide turnover, this understandably receives a lot of attention. Although high fines are a real possibility, we don’t expect to see such fines imposed overnight. Before organisations can be fined for non-compliance, the authorities must first conduct thorough investigations. To assist them in these investigative tasks, the authorities have been equipped with a number of powers. Let’s have a look at the powers at their disposal.
Investigative and corrective powers
The GDPR gives authorities both investigative and corrective powers. Their investigative powers allow them to, for example, obtain access to all personal data within the organisation and to order organisations to provide them with other relevant information. They may also perform a ‘dawn raid’ in which they show up at the organisation, unannounced, looking for additional information. Their investigative powers may also take the form of a more formal data protection audit, in which the authorities check compliance of the GDPR against legal, technical and organisational controls.
The investigative powers thereby give the authorities a good starting point for getting a grip on how organisations process personal data, the types of procedures and policies in place and whether an organisation is at risk of non-compliance.
The GDPR also arms the authorities with a number of corrective powers, including the right to issue warnings on processing activities likely to infringe the GDPR and the right to order organisations to bring their processing activities in compliance with the GDPR. The authorities can also impose a temporary or definitive ban on the processing of personal data, which can have far-reaching consequences, particularly for organisation’s that process personal data as part of their core business!
Whilst the GDPR harmonises a great deal of enforcement powers throughout Europe, there is some room for local differences. Local supervisory authorities may be given more powers than those set out in the GDPR. The Dutch supervisory authority has been given such additional powers. In the Netherlands, after having conducted investigations or having requested information, the authority can impose a periodic penalty payment (a ‘last onder dwangsom’). This essentially means that organisations can be ordered to pay a penalty for every day that the organisation continues to act in non-compliance or does not follow the authority’s instructions. The potential for a steep increase in financial penalty per day may therefore require organisations to act quickly and efficiently in their cooperation with the supervisory authority.
Deloitte's Privacy Response Team is here to help
When it comes to enforcement of the GDPR, there’s clearly more to consider than simply high fines. Deloitte has therefore set up a dedicated Privacy Response Team to help you prepare and respond to enforcement by the authorities. The team is made up of members of our privacy, forensic and crisis and resilience service lines; a cross-functional team!
Keep an eye out for our blogs as we will be posting more on the topic of GDPR enforcement. This will include blogs on how to prepare and act in the event of a dawn raid, what to expect of the cooperation between supervisory authorities, what to do if the authorities open an investigation, what to do if you’re faced with an enforcement crisis and much more.
For more information about GDPR, please contact Annika Sponselee or Nicole Vreeman via their contact details below.