Companies will be in for a shock if they think that European data regulators will go soft on them or allow a grace period as they prepare for tough new rules on data protection that come into force next month.

The EU General Data Protection Regulation (GDPR) was adopted throughout the European Union (EU) in April 2016. Since then, organisations have had a two-year transition period to prepare for the changes and ensure that they comply with the new rules by 25 May when the regulation comes into effect across all 28 EU member states.

Some companies are probably more aware of the tough sanctions for non-compliance than they are the requirements they actually need to follow. And failure to comply with the regulation risks some eye-watering penalties: Serious breaches can incur fines of up to €20m (U.S. $24.5 million) or up to 4 percent of global annual revenues—whichever is greater.

In addition to fines, other enforcement options available include the power to issue warnings and reprimands, order compliance, and impose restrictions or bans on processing data.

Companies based anywhere in the world that hold, process, or interact with personal data on any EU citizen are bound by the rules, even if they have no physical presence in any of the 28 EU member states.

Surveys have routinely found that GDPR awareness in some countries is dangerously low and that efforts to comply by the deadline have been slow in some industries. Consequently, say experts, some companies may have mistakenly presumed that if they demonstrate that they “are on a journey” toward compliance, smaller infringements are likely to be overlooked. The United Kingdom’s data regulator, the Information Commissioner’s Office (ICO), however, denies this, and doubts whether other EU regulators would take a lenient approach either.

The ICO has said that “there will be no ‘grace’ period” and that it will be regulating the new rules from the date they come into force, pointing out that “there has been two years to prepare.”

“2018 could well be the year in which EU data protection authorities fully bare their teeth.”

Tim Hickman, Partner, White & Case

In a conciliatory move, however, the ICO says that “we pride ourselves on being a fair and proportionate regulator, and this will continue under the GDPR,” adding that “those who self-report, who engage with us to resolve issues, and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”

Some lawyers expect EU data regulators to come down hard on offenders, particularly following the ongoing Facebook/Cambridge Analytica scandal and the alleged misuse of personal data.

Tim Hickman, a partner at law firm White & Case, believes that “2018 could well be the year in which EU data protection authorities fully bare their teeth.”

With GDPR introducing potentially massive fines, says Hickman, “EU data protection authorities will be looking to demonstrate that they have the power to shock businesses into action, where needed. We are likely to see at least one fine above the €10m (U.S. $12.2 million) mark by the end of 2018.”

Rhiannon Cambrook-Woods, managing director at specialist advisory firm Zest Recruitment & Consultancy, also believes that it is “likely that an example will be made early doors,” but adds that “other than a couple of examples being made, it is hard to see how strictly the new rules will be applied.”

Compliance requirements of GDPR

The General Data Protection Regulation (GDPR) creates some significant changes that companies based anywhere in the world that process, store, or interact with the data of any EU citizen need to understand and adhere to.
For example, the new EU regulation extends the definition of “personal data” so widely that it now includes genetic and biometric data, as well as online identifiers, such as an IP address. It also strengthens and increases the rights of data subjects and tightens the rules on consent. For example, it introduces the “right to be forgotten” for EU data subjects, which means that EU citizens can ask Websites or Web forums to delete their details.
The scope of European data protection laws has been expanded in another significant way, as well. Whereas the former EU Data Protection Directive applied only to data controllers (those who collect and own the data, such as companies retaining customer information, including addresses and credit card details), the GDPR now holds data processors (essentially, third-party vendors) jointly liable too. In practical terms, this means that companies need to have assurances that their suppliers and contractors also have measures in place to comply with the GDPR.
The regulation includes detailed compliance requirements, such as appointing designated data protection officers if there is regular or systematic monitoring of data subjects or large-scale processing of special categories of data. The most difficult requirement is perhaps the need to report any breach to the relevant data protection supervisory authority within 72 hours: In certain circumstances, organisations would also need to notify those individuals affected in the same timeframe as well.
— Neil Hodge

Lawyers believe that companies should ensure that they are compliant by the time the regulation comes into effect. “Business leaders would be unwise to rely on a grace period to get used to the new rules,” says Helen Farr, partner at law firm Fox Williams, who warns that penalties for non-compliance will increase massively overnight on 25 May. She points out that the £400,000 (U.S. $559,000) fine issued to telecom provider Talk Talk in 2016 could be as high as £35 million (U.S. $49 million) under GDPR if the ICO were to fine it up to 4 percent of its global turnover.

Some do not believe that the U.K.’s regulator (at least) will aggressively hunt for incidences of non-compliance just because it has new powers. “I don’t expect the ICO to be rushing after 25 May 2018 to impose fines on organisations it has never had reason to have on its radar before,” says Emma Roe, a partner and head of commercial law at law firm Shulmans.

“In my experience, the ICO focuses very much on seeking to educate and work with organisations that are trying to get things right, rather than rushing to fine them for any and all breaches,” says Roe. “However, I suspect there will be limited patience from the ICO when it first engages with organisations that appear to have not even tried to get into a compliant position,” she adds.

According to the ICO’s most recent annual report for 2016/2017, only 16 fines were issued for breaches under the Data Protection Act 1998. Presently, only public-sector organisations (under a voluntary code) are obliged to report data breaches. But once this changes under GDPR and companies are required to report certain types of data breaches, the number of fines issued will invariably increase, say lawyers. Christian Mancier, a partner at law firm Gorvins, says, however, that “the ICO’s approach is still very much about reserving fines for the most serious and/or large-scale breaches, and it is unlikely that this approach will change.”

Lawyers say that while there will likely be differences in approaches across the European Union between the various data regulators—where some will adopt a far stricter interpretation than others—they add that the scope for this is significantly diminished since each regulator is working with the same piece of legislation.

Previously, the EU’s data protection directive was transposed into each member state’s national law, which meant that there were 28 versions of the same set of rules (though differences were slight). However, under an EU regulation—which is what the GDPR is—the same set of rules applies in each member state without any variation.

As a result, say lawyers, companies should expect monitoring, as well as enforcement, to be fairly uniform across the entire EU bloc. “The different EU countries will be more on the same page than they were before,” says data privacy expert Patrick O’Kane.