When I think about who is setting the fines for violations of the European Union’s new General Data Protection Regulation (GDPR), I get the image of a small-town sheriff and his speed trap.
The Service Authorities — which EU officials call the GDPR local enforcement arms in each country — will be getting much of their operating funding from fines imposed for violations.
The approach conjures images of a sweaty, heavy-jowled sheriff ripping off his sunglasses as he leans in the car window to tell lead-footed motorists how he clocked their law-breaking speed with the new gizmo he bought with money from last month’s fines.
“You picked the wrong [town] to haul ass through,” as Sheriff J.W. Pepper put it in the James Bond film “Live and Let Die.”
With fines for the most serious violations reaching up to 4 percent of a company’s annual worldwide revenue or a maximum of €20 million, whichever is greater, the high sheriffs (Service Authorities) could be looking at a huge revenue source.
That is likely to put them on the hunt for violators, funding more staff and equipment with each collection. Which makes it even more important that companies start getting ready now for GDPR compliance.
The GDPR, which goes into full effect in May 2018, substantially increases data privacy rights of consumers and the requirements on companies that solicit and retain customer identities.
Its scope is broad: If you do business in the EU – even if it is only one customer – or if EU member companies or consumers buy your product or service, even outside the EU, your company must comply with these stringent privacy requirements.
The GDPR suggests that these high sheriffs take into account a number of factors when determining how to penalize violators. Among them: Was the infringement intentional? How has the alleged violator acted to mitigate damage? How many data subjects were affected?
But don’t miss the empowerment language. The GDPR says fines should be “effective, proportionate and dissuasive.”
So when you start driving this highway of GDPR, it’s crucial to be sure your company is prepared to obey the privacy laws and get it right. Not understanding the requirements is not an excuse.
You wouldn’t want to hear those famous words from another fictitious member of law enforcement, the prison warden in “Cool Hand Luke” who famously said: “What we have here is a failure to communicate.”
This is the second in a series of occasional blog posts exploring key concepts behind GDPR.
By Jason Rose