In the lead up to the General Data Protection Regulation, so much of the focus was on fines and regulatory audits, and while that may have been a spark that lit a fire for many privacy organizations, it is becoming increasingly clear that data subjects themselves will have an enforcement role as well, rather than the regulators acting alone.

The GDPR includes number of public-facing requirements, including notice and transparency, cookie consent, data subject rights, and breach notification, to name a few. Thus, a good deal of enforcement is going to be realized in the form of data subject complaints, and in addressing reputational risks caused by the PR nightmares that can often follow compliance failures.

So what can privacy offices do in response? As it turns out, success in the GDPR-age may require less of a focus on fines and supervisory authorities, and more of a focus on data subjects.

Supervisory authorities

Under the GDPR, EU member state supervisory authorities have powers to ensure that the principles of the GDPR as well as the rights of data subjects are upheld according to the GDPR, and according to the Article 29 Working Party (now dissolved, its replacement called the European Data Protection Board), “[c]onsistent enforcement of the data protection rules is central to a harmonized data protection regime.” And while the WP29 goes on to note that “[a]dministrative fines are a central element in the new enforcement regime introduced by the Regulation,” these fines must be viewed as what they are — namely, “a powerful part the enforcement toolbox of the supervisory authorities together with the other measures provided by Article 58.” In other words, fines might be a hammer, but this toolbox also contains wrenches, screwdrivers, pliers and more. Depending on the job, different tools will be appropriate, and supervisory authorities will “need to restore compliance through all of the corrective measures available to them.”

According to the WP29, “[o]nce an infringement of the Regulation has been established based on the assessment of the facts of the case, the competent supervisory authority must identify the most appropriate corrective measure(s) in order to address the infringement.” These “corrective measures” — i.e., the enforcement tools — are listed in Article 58 of the GDPR, and include:

  • Investigative powers, such as carrying out audits, reviews, or obtaining access to personal data, the premises of the controller or processor, or to any data processing equipment.
  • Corrective powers, such as issuing warnings, reprimands, orders, bans on processing, withdrawal of certifications, suspension of data flows to recipients in third countries, and of course, administrative fines.

Then, even if a supervisory authority does wish to issue a fine, they must do so in accordance with the requirements found in Article 83. In particular, the fine must “in each individual case be effective, proportionate and dissuasive” and must take the following into account:

  • Nature, gravity and duration of the infringement.
  • Nature, scope or purpose of the processing.
  • Number of data subjects affected and the level of damage suffered.
  • Intentional or negligent character of the infringement.
  • Any actions taken to mitigate damage to data subjects.
  • Degree of responsibility of the organization taking into account technical and organizational measures implemented by them.
  • Any relevant previous infringements by the organization.
  • Degree of cooperation with the supervisory authority.
  • Manner in which the infringement became known to the supervisory authority.
  • Compliance with previous measures ordered against the organization.
  • Adherence to approved codes of conduct or certification mechanisms. 
  • Any other relevant aggravating or mitigating factors.

According to Andrea Jelinek, chair of the European Data Protection Board, “[t]he important message is that our first task is not to fine the companies, but to look if they are compliant,” but if companies “don’t match the provisions of the regulation, they could be fined.” The Irish Data Protection Commissioner, Helen Dixon, has also publicly stated that “there will be fines, and they will be significant” but that this will be at “the end of a vey long path that has demonstrated a lack of accountability and an infringement.”

The WP29 noted, “[t]he point is not to qualify the fines as last resort, nor to shy away from issuing fines, but on the other hand not to use them in such a way which would devalue their effectiveness as a tool.” This could all reasonably be understood to mean that supervisory authorities should take great care to issue fines only when they are the appropriate enforcement tool — i.e., a hammer should only be used only for pounding nails.

Data subjects

Recently, the Irish Data Protection Commission reported that it had received more than 1,300 “concerns or complaints” (including around 700 phone calls and over 650 emails in the first week), and over 60 breach notifications. In fact, OneTrust also recently announced that its data subject access rights portal had handled more than 10,000 requests in the first two weeks of the GDPR.

This is significant, as it highlights the expectation that data subjects will be a primary driver of GDPR enforcement in the form of asserting their rights against data controllers, and filing complaints with supervisory authorities. It has also been emphasized by supervisory authorities, such as the Irish DPC, that their “first priority will be to be responsive to the risks and trends [they] identify in relation to complaints lodged.”

In the end, and perhaps more damaging than an administrative fine, GDPR violations can result in brand and reputational harm, in particular when data subjects themselves are the ones initiating enforcement. This becomes even more likely given the global scale to which the privacy debate has grown, and the ever-increasing awareness of individuals about their privacy rights. Additionally, various organisation, including supervisory authorities, have started providing instruction to individuals on how to submit data subject requests, and are making efforts to increase overall data subject education and awareness.

Data subjects also have a right under Article 82(1) of the GDPR to receive compensation from controllers or processors for any “material or non-material damage” suffered as a result of an infringement, and under Article 80(1) are empowered to seek the help of certain not-for-profits to lodge complaints with supervisory authorities and seek judicial remedies.

What to do

At OneTrust, we have heard from some organizations who, given the size and nature of their organization, are not as fearful of potential fines in the early stages of GDPR, but are understandably wary of the brand and reputational risks of non-compliance. Thus, in an effort to keep their data subjects (both customers and employees) happy, they have made strong pushes toward compliance, with particular focus in the areas that are the most public-facing and have direct contact with data subjects. Namely, they have improved their privacy notice and transparency efforts, including implementation of data subject request portals, cookie consent banners and preference centers, and opt-in consent forms.

Internally, these organizations have taken special care to train their employees about the GDPR, and that includes dispelling rumors and common misconceptions. Such training not only shows respect for the privacy rights and freedoms of their employees, but also helps to ensure that in turn their employees show respect for the privacy of their customers.