The General Data Protection Regulations (GDPR) will certainly be enforced across Europe, however enforcement of the GDPR will vary between European member states, as each member state will have a contrasting regulatory authority responsible for enforcing the GDPR. Therefore, an organisation will need to be aware of how the GDPR is enforced within their country, and what the repercussions will be if they are not GDPR compliant.
How will GDPR enforcement differ across EU member states?
The GDPR applies to all EU member states, but the enforcement of the GDPR in the EU member states will differ. Each member state has a Data Protection Authority (DPA) and the funds for these DPAs will come out of a national budget; there is no money allocated from the EU.
If we look at recent studies, Germany and Spain are known for being very strict on data protection, therefore they may enforce protection regulation tightly. However, the Republic of Ireland in the past have been lax with data protection, and therefore they might not enforce GDPR as rigorously.
The GDPR has established a two-tier system for administrative fines which can be imposed on organisations which are not GDPR compliant and responsible for a data breach. The initial tier is €10 million or 2% of the company's global annual turnover, then the second tier is €20 million or 4% of the company's global annual turnover, whichever is higher. These are crippling fines which an organisation could face, therefore GDPR compliance is a necessity.
How is GDPR enforced in the UK?
The DPA and supervisory authority for the UK is the Information Commissioner's Office (ICO). Just before the GDPR was implemented on May 25th 2018, the ICO recruited 200 additional employees. The ICO now has around 700 employees, as they anticipated an increase in data breaches and lack of compliance following the implementation of GDPR.
Surveys conducted a couple of months before the implementation of GDPR, showed that only 65% of businesses were expected to be compliant with GDPR by May. Furthermore, the GDPR now states that a data breach needs to be reported within 72 hours to the ICO, therefore there is expected to be an influx of possible data breaches within the initial months of GDPR enforcement.
How can your business prepare for GDPR enforcement?
Each EU member state will enforce GDPR differently; therefore, it is very confusing for businesses as some deal with many different EU member states and could be subject to varying treatment. Some businesses have tailored their GDPR strategies to specific countries, in line with how they will enforce GDPR. Whereas, AppNexus, an American technology firm, created a GDPR strategy which they will relate to Europe as a whole, which will probably be more simplified than a country-specific GDPR strategy.
Regardless of the EU member state, it is essential that businesses comply with the GDPR. Therefore, to prepare for GDPR's enforcement, a business needs to create a strategy for data management which is transparent and documented clearly. If the DPA want to audit your company, the process will be a lot easier if you have documented your data management process, from the point of consent to the point that you destroy a data subject's personal information once you no longer needed it. If this process is lawful, fair and documented, then an organisation will be in a well placed position to comply with GDPR.
Enforcement which has already taken place
The first data breach to occur under the new GDPR took place on the 27th June 2018. Ticketmaster Entertainment Inc, the American based ticket sales and distribution company found a malware infection which had infiltrated a customer service product, supplied by Ibenta Technologies, a third party which works with Ticketmaster. This malware compromised the personal data of Ticketmaster customers, including names, payment details, email addresses and home addresses. The customers affected were notified by Ticketmaster and have since been offered a 12-month service which will monitor identify theft. However, the ICO is currently investigating the data breach, and is yet to decide on the necessary administrative fines for the lack of data privacy demonstrated by Ticketmaster.
Ultimately, GDPR will be enforced across Europe, and therefore your business needs to be aware of all of the regulations and safeguards it should implement, to ensure it is GDPR compliant. If not, there may be serious repercussions from the ICO.