By Ken Magill
When the EU’s General Data Protection Regulation goes into force, the big unknown is
how European regulators plan to enforce it, especially since there are 28 independent Data
Protection Authorities or one for each member of the EU.
GDPR will require marketers, or data controllers as they’re referred to, to get consent to process
personally identifiable information from would-be email marketing recipients in clear language
that lays out exactly how the information will be used.
It will require the ability to prove consent was obtained. It will give people the right to obtain
any information held on them, the right to opt out and the right to have their information erased.
It also will require notifications of data breaches within 72 hours.
But with 28 different Data Protection Authorities, each with serious enforcement power, it is
impossible to predict what the GDPR rollout will entail.
“As we go from the preparation phase to the GDPR implementation phase, we don’t yet know
what the enforcement posture of the European regulators is going to look like,” said J. Trevor
Hughes, president and CEO of the International Association of Privacy Professionals. “Now to
be clear we’ve got 28 European regulators, all of which have independent regulatory authority
“There is a convening body, the European Data Protection Board that will be put together for
May of this year and it is meant to be a steering committee to help guide some of this action, but
the regulators country by country remain very much independent and can act independently,”
Hughes said. “So it’s hard for me to predict what we will see.”
But there are three possible scenarios, said Hughes:
One, all 28 countries work through the Data Protection Board and take a very systematic and
strategic approach to enforcement.
“They identify, say, the top 10 enforcement priorities that they have in order to drive
marketplace behavior. They don’t go for the big fines even though they have them. They go for
exemplary actions and give an indicator to the marketplace as to what their expectations are. And
we see a steady succession of these cases come out and get settled.
“That will look a little bit like what the FTC [Federal Trade Commission] does,” he said.
A second possible scenario is an aggressive Data Protection Authority in some country decides
to really go after some cases, said Hughes.
“That could be really challenging because it may end up giving us an unclear picture as to what
the enforcement expectations are or the enforcement priorities are of the regulators are across
Europe,” he said. “They [the Data Protection Authorities] may be very diverse and disparate.”
The third and worst scenario is 28 independent Data Protection Authorities bringing their own
actions with their own priorities at their own pace and their own scale, forcing companies
monitor all of them, said Hughes. “I think that might be an extreme scenario,” he added. “I
would hope we would see more cohesiveness in their enforcement approach.”
The most unlikely scenario is that the EU Data Protection Authorities fail to enforce GDPR.
“What I can predict is that European regulators that by and large to this point have had relatively
limited enforcement capabilities will use these bright, shiny, new enforcement tools,” said
Hughes. “They now, for the first time, have really significant fining authority.”
Indeed, failing to comply with key GDPR provisions, such as failing to get proper permission,
can result in fines as high as €20 million ($23.9 million) or 4 percent of global annual revenue,
whichever is higher. Less severe infringements, such as not having records in order, could result
in fines of up to €10 million ($12 million) or 2 percent of global annual revenue, whichever is
GDPR applies anytime a European citizen interacts with an organization in Europe even if that
organization has no physical presence in Europe.
“European regulators and parliamentarians and legislators have made it very clear that GDPR
applies when a European citizen is accessing your goods, your services, your website, your
functionality in Europe,” said Hughes. “So if you’re putting up a website, European regulators
think that they’ve got hooks into you.
“If you’ve got European email addresses in your database, European regulators will expect that
you’ll be complying with GDPR,” he said.
However, Hughes also contends that acting in good faith to comply with GDPR is one of the best
regulatory protections a marketer can implement.
“If you can demonstrate to a regulator that in good faith you have done the hard work, you’ve
invested the time, you’ve made the effort to build your processes, your security, your data
protection controls, you’ve trained your organization so that they’re aware as to what your
expectations are, you will inevitably be seen more favorably than someone who has not done
these things,” he said.
“That can be the difference between getting a letter from the regulator saying: ‘Hey we see you
had a breach and we see that you’re handling it appropriately. We consider this matter closed’
and a regulator saying: ‘You had a breach and, oh, by the way, here’s the fine and here’s the
press release that we’re announcing today.”
This post is not meant to be construed as legal advice. For legal advice, consult an attorney.