Since May 25th the General Data Protection Regulation (GDPR) has been fully enforceable. The new legislative package has replaced the former Directive 95/46 ('The Data Protection Directive') and imposed new European rules regarding data protection. Amongst other things, the GDPR sets stringent penalties for non-compliance with the new rules.
Firstly, supervisory authorities will have a larger package of instruments to enforce compliance. They will have a set of investigative, corrective, authorisation and advisory powers. With the ongoing process of globalisation, border crossing investigations have become increasingly common. Therefore, supervisory authorities are handed tools to set up cooperation with other supervisory authorities aiming for effective enforcement of the GDPR across all Member States.
Depending on the nature of the infringement, the fines for non-compliance can rise up to €20 Million or 4% of the total worldwide annual turnover, whichever is higher. The amount of a possible fine is decided on a case by case basis. The following parameters are taken into account when deciding whether or not a fine should be imposed and in determining the amount of the possible fine (article 83 GDPR).
With these severe fines, carefully handling of the personal data flowing within your organisation has become a serious boardroom matter. Make sure to give privacy governance a permanent place in your organisation strategy and prevent high fines from being imposed.