Once the United Kingdom finally parts ways with the European Union, it still won’t be completely clear of the governing General Data Protection Regulation (GDPR). Generally, the GDPR is meant to strengthen and unify data protection for European Union (EU) citizens and residing companies. However, the GDPR still controls fines and regulations of non-EU companies if the data comes from EU citizens. The reform first passed on April 14, 2016, but it won’t go in effect until 2018.

What does the GDPR govern?

While most of the reform pertains to privacy for European Union citizens and companies, non-EU companies can still be charged hefty fines. Failure to notify consumers of data security breaches, failure to implement preventative measures, failure to correctly maintain records, and breaches over obtaining consent for the processing of children’s data all fall under the standard. While the GDPR is a EU governing document, actual enforcement will happen on an individual nation level. Each company will be governed by the rules of the country where it’s mainly established. While the actual finable actions haven’t changed, the new system gives much greater room for financial punishment.

What are the new fines?

With the new regulations, fines for the previously stated infractions have increased dramatically. The new GDPR allows for fines up to €20,000,000 or 4% of the company’s global revenue, whichever is higher. For example, 4% of Apple’s revenue is approximately $9.3 billion. While these fines may seem small in the grand scheme of overall worth and cash flow, this major hit for large infractions could topple even a massive company. These new caps are greater, on average, than the current EU countries’ own privacy infraction fining systems. While the individual countries prosecute each company residing in their lands, EU rules now leave more room for increased fines for almost every nation.

Will nations actually use this new fining system? 

Because the bill doesn’t take effect until 2018, it’s hard to say for certain how much the nations will actually fine infracting companies. However, it’s unlikely that a country like Bulgaria, which currently sets a max fine of roughly 100,000 euros, will suddenly increase its own punishment standard because of this new freedom from the governing GDPR. Because of global pressures to show that each nation or union is taking privacy seriously, there has been a slight flexing by governing bodies to increase financial penalty caps.

Currently, there is no explicit guidance for companies to traverse these new rules and fines. Companies worried about potential liability should obtain legal advice. For more information regarding the new agreement and its increasing fine caps, contact Revision Legal’s Internet attorneys through our contact form or by calling 855-473-8474.

Image Credit: Rob Pongsajapan