When the General Data Protection Regulation (EU 2016/679) comes into force on 25 May next the Office of the Data Protection Commissioner will be able to impose for the first time large administrative fines for data protection breaches. Muireann Reedy explains why it will pay to be compliant with the GDPR.
In May 2017, the Irish Government published the General Scheme of Data Protection Bill. When finalised and enacted it will give effect to various discretionary measures set out in the GDPR, as well as transposing the Police and Criminal Justice Authorities Directive (EU 2016/680). As a result of the GDPR, the Data Protection Commission, which will replace the Data Protection Commissioner, will have the power to levy administrative fines for the first time. The DPC will be the supervisory authority in Ireland responsible for, among other things, monitoring and enforcing compliance with the GDPR.
The GDPR sets out two tiers of administrative fines, depending on which underlying provision of the GDPR has been breached. For less serious breaches, the fine can be up to the higher of 10 million or, in respect of an undertaking, 2 per cent of its total worldwide annual turnover for the preceding financial year. But these figures can be doubled for more serious breaches.
It remains to be seen if subsidiaries will be considered separately to the parent company when determining the scope of the term 'undertaking'. If they are included within this definition, entities could be looking at potentially colossal fines. Breaches falling within the lower fine bracket include: using a data processor without obtaining sufficient guarantees that it will implement appropriate technical and organisational measures, failing to co-operate with a supervising authority and failing to notify a supervisory authority of a breach within the requisite time period.
Breaches which may trigger a higher level of fine include: processing personal data in a manner which is not lawful, fair and transparent; processing data which is not relevant and limited; failing to ensure that personal data is accurate and where necessary, up to date; and failing to demonstrate to the supervisory authority that the data subject has consented to processing his/her personal data. The GDPR requires supervisory authorities to ensure that in each case the administrative fine is 'effective, proportionate and dissuasive'. The GDPR requires various matters to be considered by a supervisory...