How is GDPR enforced? This is one of the most talked about matters because failing to be GDPR compliant could be costly. As much as 4% of a business global revenue or € 20,000,000 – whichever one is higher. There are many organizations still since the announcement of the General Data Protection Regulation (GDPR), which came into effect in the United States on May 25, 2018 are not compliant. If your organization handles a European Union citizen’s data this concern’s you. If you contract an app developer or someone from Europe this pertains to you. The word is data.
Ever since the announcement of GDPR there are public companies and private who have class action suits against them for not being GDRP compliant. The Supervisory Authorities (SAs) are the ones who enforce GDPR law. Even though they are in Europe they also operate in the United States and around the world can do the following to your organization.
- They can conduct audits
- Review certifications
- Impose administrative fines
- Suspend data flows it deems non-compliant
- Impose limitations, and even bans, on processing
- Order a processor or controller to comply with GDPR
- Issue warning should it appear a GDPR violation may occur
Supervisory Authorities can also be given extra powers by member states of the European Union to enforce article 58 to enforce paragraphs 1, 2 and 3. To summarize organizations need to keep a tight lid on customer data. The longer answer is a firm must comply with a complex series of rules that include the following:
- Allow customers to see and delete the data that concerns them
- Provide notice of data breaches in 72 hours
- Make data policies transparent to an average person
- Hire a Chief Data Office in some cases Follow “privacy by design” principles
Please note that the rules are different depending on the data in question. Such as Hospitals and Clinics must comply with GDPR. GDPR affects all professionals working in the health sector and its proper application is even more important than other areas that GDPR covers because it pertains to sensitive health data. For more information on the regulation that defines personal data related to health as data review article 4.15.
GDPR also effects higher education institutions such as Universities and community colleges. Also the travel and leasing industry. Not just tech companies. Even utility companies. Here is the link to the Data Protection Authorities who enforce GDPR.