The compliance deadline for the EU GDPR (General Data Protection Regulation) passed six months ago, on 25 May 2018, but its influence is only just starting to take hold.
Several experts, including European Data Protection Supervisor Giovanni Buttarelli, have predicted that the first round of fines will be levied in the coming weeks. Buttarelli told Reuters that supervisory authorities have been deluged with data protection complaints, with France and Italy alone seeing complaints rocket by more than 50%, but no sanctions have been issued yet.
The reason is it takes time to investigate incidents. Supervisory authorities have had a lot to prepare for and many were caught off-guard. However, Buttarelli says that regulators are now in position to take disciplinary action.
“I expect first GDPR fines for some cases by the end of the year. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum,” he said.
What forms of punishment should you expect?
The GDPR gives supervisory authorities the power to levy fines of up to €20 million or 4% of the organisation’s annual global turnover, whichever is greater. However, penalties of this magnitude will be reserved for egregious or repeat offences, and some supervisory authorities have said that fines will be a last resort.
Organisations are much more likely to be disciplined by way of enforcement actions. This involves the supervisory authority auditing the organisation’s processes and finding areas of non-compliance. From there, they can either discipline the organisation in the ways Buttarelli mentioned or set deadlines to put things right.
Are you GDPR compliant?
You can find out how you’d stand up to a compliance audit by taking our #BreachReady questionnaire.
This quick and easy-to-understand survey scores you on your organisation’s current data protection practices, and gives you a detailed summary of the steps you can take to prepare for data breaches and comply with the GDPR.