General Data Protection Regulation (GDPR) governs the collection of data related to people in the EU and it imposes obligations on EU countries but is applicable to any and all organisations that target or collect data on EU persons.
How does the two-tiered system of GDPR work?
The purpose of GDPR is to regulate the collection of data and the way this is used. GDPR has at its disposal the use of harsh fines on businesses who violate its provisions, as well as other sanction-based mechanisms.
There are two tiers of administrative fines for non-compliance with GDPR. The two tiers of GDPR fines consist of a lower level and a higher level. The lower level fines are up to €10 million or can be up to 2% of the annual turnover of the preceding financial year, whichever is higher. These fines are issued for less severe breaches of the GDPR.
The higher level fines can be issued up to €20 million or 4% of the annual turnover of the undertaking which are issued for more severe infringement of GDPR regulation.
What is an undertaking in terms of GDPR?
With penalties being dependent on the total global turnover of an undertaking, it is important to understand what constitutes an undertaking. The definition encompasses ‘every entity engaged in an economic activity, regardless of the legal status…’, as established in Höfner and Elser v Macrotron GmbH (1991) C-41/90 (Hofner Case).
An undertaking does not have to consist of just one company. If the parent company exercises autonomy over a subsidiary then there is a presumption of control. All the companies under the control of the parent company could be considered as one undertaking for the purposes of the law. This means that the whole group could be used to establish the total annual turnover to calculate the fine for the GDPR infringement. Therefore, fines under the GDPR can be very high depending on the circumstances of the company.
What happened with the Danish municipalities?
Recently, the Danish Data Protection Agency reported both the municipality of Gladsaxe and Horsholm to the police, as they found a violation of the GDPR. It was found that security requirements under GDPR had been violated. These violations pertain to the security of processing under GDPR which is governed by the obligations of controllers and processors.
A ‘controller’ is an entity or individual that makes decisions about processing activities and is in control of the personal data whereas a ‘processor’ is an entity or individual that acts under the authority of the controller and serves the controllers’ interests rather than their own.
The Danish cases at hand both involved the theft of computers that were not protected by encryption. At Gladsaxe City Hall, a computer containing the personal date including sensitive data of over 20,000 citizens was stolen. The second breach of security occurred at the municipality of Horsholm where the computer of an employee was taken from his car. This contained personal data on 1,600 employees with the data again being of a personal nature. With residents not being able to opt out of the municipality storing their data, the level of protection and security is expected to be high. Incidents like this highlight the dangers of insufficient levels of security and the undue risk it exposes citizens to.
What are the consequences of the failure to encrypt?
The Data Protection Agency was notified of the cases relating to data security breach when both municipalities alerted the agency of breaches in personal data ‘relating to the theft of computers containing personal data’. From this notification the Danish authorities were able to intervene and impose fines on the municipalities, those being DKK 100,000 and DKK 50,000 respectively.
The fines levied are directly related to the seriousness of the infringement and the contextual consequences of the breaches in question. The fines must be ‘effective, proportionate and dissuasive for each individual case’, meaning the authorities have criteria that must be considered when choosing the penalty amount. These criteria include, amongst other things, the intent behind the infringement and measures taken to mitigate the damage that has occurred. With the Danish example, it was very easy to access files that were not encrypted. The personal data was stored locally with no security measures in place.
What does this mean for my business?
GDPR’s implementation signals the firm stance the EU is taking on data privacy and security.
As evidenced by the recent fines given to the two Danish municipalities, implementation of GDPR is taking on its full effect. GDPR puts the consumer in control and the ‘task of complying with this regulation falls upon businesses and organisations’. With the penalties for failure to comply being severe, all companies that store and work with personal data of EU citizens should appoint a data protection officer, to ensure compliance with GDPR requirements. Existing procedures should be reviewed to ensure the procedural requirements of GDPR are met, and all personal data stored should be safeguarded throughout the business to help contain any breaches.
For situations like the Danish example, measures should be implemented to ensure personal data is encrypted and cannot be easily accessed from a hard drive. Promulgation of the GDPR has created a new era in data protection within the EU, and businesses must comply or face the negative repercussions of their inaction.