In this Blog, we created a quick view which GDPR activities are aligned to the 2%/€10,000,000 administrative fine category, and which are aligned to the 4%/€20,000,000 category.
51 Ways to Get into Trouble with GDPR
(and it can cost you millions!)
24 April 2019
Unless you were just rescued from being a castaway on a deserted island for the past two years, you are aware of the headline grabbing news about how the European Union has implemented the General Data Protection Regulation (GDPR) effective 25 May 2018.
Of the 99 articles in the GDPR, more than half are tied to requirements that, if infringed, can lead to administrative fines in the millions.
The EU data protection authorities have been swift to use their new consultative, investigative, and corrective powers. They have the power to issue fines up to the higher of 10 million Euros or 2 % of an organisation’s total worldwide annual turnover of the preceding financial year, and 20 million Euros or 4 %, respectively. Beside the ‘effective, proportionate, and dissuasive’ administrative fines, EU data protection authorities can exercise injunctive powers over data controllers and data processors.
While one should work diligently to avoid the GDPR fines, non-compliance can also wreak havoc on organisations if a data protection authority orders them to stop processing personal data (temporarily or permanently). Google is none too happy about the efforts and costs involved in fighting the French data protection authority’s €50,000,000 fine1.
Organisations should also brace themselves for EU-based individuals represented by EU non-governmental organisations (e.g., ‘None of Your Business’) filing claims on the individuals’ behalf for infringements of the GDPR, regardless of materiality.
There are at least 51 ways to run afoul of the GDPR
To stay out of trouble, one tricky area for data controllers to master is when to rely on legitimate interest as their legal basis for processing personal data. Art. 6(1) defines the six legal bases to consider before determining that legitimate interests applies.
(a) consent that is freely given by data subject and can be revoked any time
(b) contract performance or preparation to enter into contract at data subject’s request
(c) legal compliance of controller
(d) vital interests of natural persons
(e) public interest tasks vested in controller
(f) ‘Legitimate Interests’ pursued by a controller or by a third party
Besides selecting the appropriate legal basis before collecting personal data, organisations need to apply all GDPR principles described in Art. 5, starting with:
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.”
Processing qualifies as ‘lawful, fair and transparent’ if the processing honours purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality.
Identifying the correct legal basis for processing personal data is but one of many steps that organisations must take to satisfy the GDPR.
Members of the Data Protection Network can download their latest legitimate interest assessments guide2containing scenarios and sample questionnaires to ensure the controller’s interests are balanced and do not override the fundamental rights and freedoms of the individuals. There is no cost to sign up for a DPN membership. The UK Information Commissioner’s Office recently published tips for legitimate interest on its website3.
This table is designed to give a bird’s eye view of the 51 GDPR requirements that, if infringed, may result in undesirable effects on data controllers and data processors.
[table id=2 /]
[table id=3 /]
Note:Consult the official text for full description of GDPR requirements4
2DPN guidance at https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance
3 UK ICO’s guide at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/
© 2019 Karima Saini, CIPP/E & CIPP/US, CIPM & FIP
The information provided and the opinions expressed represent the views of the author and do not constitute legal advice nor can be construed as offering comprehensive guidance of the various EU member state data protection legislations, regulations or other statutory measures referred to herein.