According to independent global information privacy group IAPP, there is something special about GDPR in comparison with most European regulations, even those related to online privacy or digital technologies in general. It involves the autonomy by the enforcer to impose steep fines on companies found to be non-compliant. The fines can amount up to a crippling €20 million or 4% of the company’s annual return globally, not just returns in Europe.
For comparison, the highest fine imposed for data privacy violation in the US by the FTC was $22.5 million to Google in 2012, according to the USA Today. Had a similar regulation been put in place, the giant would have been looking at a $2 billion fine.
As IAPP’s Anna Myers explains, fines are designed to discourage reckless user data practices and make examples out of the likely first culprits. This means that, over time, GDPR should inspire standardized practices and a culture of privacy care within organizations, also a way to radically push away from business as usual. Individuals can also be held liable, in which case their general income level will set the mark.
Deliberate misdoing will be more severely castigated than that deemed involuntary. So is the case of those directly responsible for data collection and handling over third-party or supportive services, which can still compromise a company and demands the same level of attention, if not more. In fact, it is likely that the most common instances of failure to comply are relatively small ones. So watch out for:
- Failure to notify and request acceptance to site policies such as privacy.
- An unclear or incomplete track of user consent.
- Failure to inform uses of data, especially when third parties are involved.
- Failure to inform location of data, especially when involving locations outside of Europe.