You will note the new title for this episode, Life With GDPR. When Jonathan Armstrong and I began this series in early 2018, we had intended to give listeners a grounding in the new law in the lead up to its go-live date of May 25. However, the response was so overwhelming and Jonathan and I had so much fun putting on the podcasts that we decided to make Countdown to GDPRa permanent part of the Compliance Podcast Network, albeit with a more appropriate name. So welcome to the re-monikered Life With GDPR, which I hope you will enjoy as much as you enjoyed its predecessor. Today Jonathan and I take up the issue of non-monetary penalties.
While most practitioners focused on the heavy fines and penalties available under the General Data Protection Regulation (GDPR) of up to 4% of total global revenues or other very large fines, there are other remedies that each EU and UK data regulator can levy or put into place that may require considerable corporate cost and effort. Moreover, these lessor penalties and sanctions can be the precursor to larger monetary fines and penalties. Armstrong emphasized that each EU country has its own regulator and they will have varying degrees of aggressiveness.
Armstrong pointed to three areas the regulators can order companies to engage in activities. First, it can order a GDPR audit to determine if it has previously assessed its data protection/data privacy issues correctly. Here he pointed to an example of a healthcare organization that was ordered to perform a Data Protection Impact Assessment (DPIA) and report back to the regulators within one month.
Next, Armstrong pointed to the joint areas of date controllers and data processors. Regulators can require a company Data Protection Officer (DPO) to comply with data requests, even Subject Access Requests (SARs). He referenced to a recent example from the UK involving Cambridge Analytica, which was ordered to comply with a US academic’s SAR. Further, a regulator can order a company to bring its data protection program in line with GDPR. Additionally, regulators can maintain investigations in the form of data protection audits and have the right to obtain access to any premises of the controller and the processor, including any data processing equipment by obtaining a warrant. This may prove to be a significant tool in the data protection regulators’ toolkit.
Regulators can also order companies to stop certain activities. Here Armstrong provided the example of a US based company with operations in Europe who is not GDPR compliant around its internal reporting structures. An EU regulator could order the company to suspend its hotline in Europe until there is compliance. Under such a scenario, the US Company would be out of compliance with US securities law and it may be at risk under best practices compliance programs under the Foreign Corrupt Practices Act (FCPA), Anti-Money Laundering (AML) regulations, export control regulations or even US anti-trust law.
Armstrong emphasized that it is not simply the regulators who have powers under GDPR, individuals do as well. SARs of course are well-known but there are other individual rights Armstrong emphasized. If an individual files some type of GDPR complaint with a statutory regulator, who does not take up the complaint within 30, days that individual can appeal against both the regulator to get the complaint moving forward. This means that individuals can file SAR actions against companies that do not respond in a timely manner to SARs. Moreover, such individuals can then band together in a class action lawsuit over such failures. There is also a mechanism for equitable reallocation of damages between parties. If a data processor has to pay damages properly attributable to a data controller, GDPR Article 82 provides a procedure for claiming these damages back. Finally, recall that any person who has suffered “material or non-material damage” due to an infringement of the new rules has a right to compensation from the data controller or processor concerned for the damage suffered and you begin to realize the powers that individuals hold under GDPR.
Interestingly, Armstrong believes that the number of regulatory and individual remedies will mandate that if companies have an incident, they should investigate and remediate quickly. From there, the entity should prepare their investigative results, remedies and internal sanctions they may have put in place on those employees involved. These steps will all go towards mitigating any proposed financial penalty the regulators may be considering. Basically, businesses need to have their ducks in a row, as it can lead to not only reduced costs for corporations, but also could well lead to greater compliance if tied to a root cause analysis.