In our two previous posts, we talked about what businesses the new European Union privacy laws apply to as well as the basic prohibitions and requirements that apply to those businesses. In this final post of our series on the General Data Protection Regulation (“GDPR”), which became effective in May 2018, we look at the penalties that companies face for non-compliance and the practical steps they can take to avoid that outcome.

Companies May Have to Pay Up to 4% of Worldwide Revenue in Penalties

The EU certainly did not fail to put teeth on the GDPR’s enforcement capacities for those companies that do not abide by its requirements. The GDPR allows for two different approaches to fining companies, which include a “lower level” of violations and “upper level” of violations.

For a company that commits a lower level violation (which generally relate to monitoring and certification requirements), the penalty is still potentially quite steep: up to 2 million euros, or 2% of the worldwide revenue of the company, whichever is greater. Note that this is revenue as opposed to profits, and “worldwide” clearly refers to all revenues the company collects, not just those in the country where the violation occurred.

When a company commits a higher level violation (which include many of the violations described in Part 2 of this series relating to consent and use of personal data), the penalties are double: up to 4 million euros or 4% of worldwide revenue, whichever is greater.

How Your Company Can Avoid GDPR Compliance and Enforcement Issues

With these extremely steep penalties in mind, companies clearly need to take care to avoid even an inadvertent violation of GDPR requirements. Again, the more involved your business is in the processing and storage of personal data about individuals in the EU, the greater the onus will likely be to take significant steps to overhaul how personal data is collected and stored, including redesigning web sites and data interfaces. Large data processing companies such as Spotify and Ebay have already taken such significant steps to change their policies regarding customer consent.

Speak with an outside privacy and/or legal consultant to determine the specifics of what your company should do to prevent future compliance issues relating to the GDPR, but here are a few basic principles for your company to keep in mind:

  • Make sure to get consent from all EU individuals prior to storing any of their personal data.
  • Only use that personal data for the purposes described in the consent agreement.
  • Obtain additional consent to use the personal data for another purpose or to transfer it to another party or location.
  • Keep personal data only for as long as necessary and promptly destroy it after the need has passed.
  • Provide customers with a copy of their personal data upon request and transfer their personal data as requested.
  • Honor individuals’ “right to be forgotten” by promptly destroying personal data upon their request.
  • Securely store all digital and paper files containing personal data, and promptly inform individuals of all data breaches related to their personal data.

Remember that the new EU privacy laws apply to any business based anywhere the world (including the United States) that collects or stores any identifiable information, including names and email addresses, about people living in the 28 countries of the EU. If you have any questions about compliance with these new laws, contact The Fried Firm to schedule a legal consultation.