The regulation makes provision for fines up to €20m or 4% of global turnover, so the potential costs are substantial. However, it remains to be seen whether regulators will take a ‘light-touch’ approach or if there will be a more aggressive stance.
It will take a while before businesses can see how regulators in the various jurisdictions will approach GDPR enforcement and what level of fines will be imposed for what scale of offence.
The EU’s own guidance for regulators on setting fines is pretty vague, but it does include some information about factors that should be considered when assessing punishments.
There is an expectation that there will be some co-ordination amongst regulatory authorities so there is a consistent approach across the EU. Whether that turns out to be the case when there is already a wide discrepancy in attitudes to privacy remains to be seen.
Possibly of more concern than fines from regulators may be claims from individuals for actual or perceived infringements.
The European Commission’s website gives this answer to the question “Can my company/my organisation be liable for damages?”
Individuals can claim compensation if a company or an organisation infringed the General Data Protection Regulation (GDPR) and they have suffered material damages, such as financial loss or non-material damages, such as reputational loss or psychological distress. The GDPR ensures they will be provided with compensation, regardless of the number of organisations involved in the processing of their data. Compensation can be claimed directly from the organisation or before the competent national courts. Proceedings are brought before the courts of the EU Member State where the controller or processor has an establishment or where the citizen claiming compensation lives ( habitual residence).
So potentially companies can be taken to court in an EU country where the company has ‘an establishment’ or ‘where the citizen claiming compensation lives’.
With exposure to compensation claims for both material and non-material damages, any companies dealing with EU citizens’ data will have to have robust systems and procedures in place to make sure they are demonstrably compliant with GDPR.
It’s early days, but it might be that the biggest beneficiaries from GDPR won’t be EU citizens, but the legal profession!