By Ken Magill
When the EU’s General Data Protection Regulation goes into force, the big unknown is how European regulators plan to enforce it, especially since there are 28 independent Data Protection Authorities or one for each member of the EU. GDPR will require marketers, or data controllers as they’re referred to, to get consent to process personally identifiable information from would-be email marketing recipients in clear language that lays out exactly how the information will be used. It will require the ability to prove consent was obtained. It will give people the right to obtain any information held on them, the right to opt out and the right to have their information erased. It also will require notifications of data breaches within 72 hours. But with 28 different Data Protection Authorities, each with serious enforcement power, it is impossible to predict what the GDPR rollout will entail.
“As we go from the preparation phase to the GDPR implementation phase, we don’t yet know what the enforcement posture of the European regulators is going to look like,” said J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals. “Now to be clear we’ve got 28 European regulators, all of which have independent regulatory authority under GDPR. There is a convening body, the European Data Protection Board that will be put together for May of this year and it is meant to be a steering committee to help guide some of this action, but the regulators country by country remain very much independent and can act independently,” Hughes said. “So it’s hard for me to predict what we will see.”
But there are three possible scenarios, said Hughes: One, all 28 countries work through the Data Protection Board and take a very systematic and strategic approach to enforcement. “They identify, say, the top 10 enforcement priorities that they have in order to drive marketplace behavior. They don’t go for the big fines even though they have them. They go for exemplary actions and give an indicator to the marketplace as to what their expectations are. And we see a steady succession of these cases come out and get settled. “That will look a little bit like what the FTC [Federal Trade Commission] does,” he said.
A second possible scenario is an aggressive Data Protection Authority in some country decides to really go after some cases, said Hughes. “That could be really challenging because it may end up giving us an unclear picture as to what the enforcement expectations are or the enforcement priorities are of the regulators are across Europe,” he said. “They [the Data Protection Authorities] may be very diverse and disparate.”
The third and worst scenario is 28 independent Data Protection Authorities bringing their own actions with their own priorities at their own pace and their own scale, forcing companies monitor all of them, said Hughes. “I think that might be an extreme scenario,” he added. “I would hope we would see more cohesiveness in their enforcement approach.” The most unlikely scenario is that the EU Data Protection Authorities fail to enforce GDPR. “What I can predict is that European regulators that by and large to this point have had relatively limited enforcement capabilities will use these bright, shiny, new enforcement tools,” said Hughes. “They now, for the first time, have really significant fining authority.”
Indeed, failing to comply with key GDPR provisions, such as failing to get proper permission,can result in fines as high as €20 million ($23.9 million) or 4 percent of global annual revenue,whichever is higher. Less severe infringements, such as not having records in order, could result in fines of up to €10 million ($12 million) or 2 percent of global annual revenue, whichever is higher. GDPR applies anytime a European citizen interacts with an organization in Europe even if that organization has no physical presence in Europe.
“European regulators and parliamentarians and legislators have made it very clear that GDPR applies when a European citizen is accessing your goods, your services, your website, your functionality in Europe,” said Hughes. “So if you’re putting up a website, European regulators think that they’ve got hooks into you. “If you’ve got European email addresses in your database, European regulators will expect that you’ll be complying with GDPR,” he said.
However, Hughes also contends that acting in good faith to comply with GDPR is one of the best regulatory protections a marketer can implement. “If you can demonstrate to a regulator that in good faith you have done the hard work, you’ve invested the time, you’ve made the effort to build your processes, your security, your data protection controls, you’ve trained your organization so that they’re aware as to what your expectations are, you will inevitably be seen more favorably than someone who has not done these things,” he said. “That can be the difference between getting a letter from the regulator saying: ‘Hey we see you had a breach and we see that you’re handling it appropriately. We consider this matter closed’ and a regulator saying: You had a breach and, oh, by the way, here’s the fine and here’s the press release that we’re announcing today.”
This post is not meant to be construed as legal advice. For legal advice, consult an attorney.