GDPR: How EU Enforcement Works and Doesn’t Work

For non-EU-based companies, preparing for the new EU privacy law GDPR – the General Data Protection Regulation – can be stressful the first time around, and the threat of fines up to 4% of annual sales isn’t making it any better. The fact that you don’t fully know what kind of information your company and service organizations are actively and passively collecting on people, including whoever is browsing your website, is not helping. This article explains GDPR enforcement.

Yes, enforcement began May 25, 2018.

No, we don’t know how this will exactly work.

This is what we do know:

The European Commission states (on it’s official website) that enforcement will likely follow these steps:

1) likely infringement – a warning may be issued
2) infringement – the possibilities include a reprimand, a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.

So, we have the possibility of a reprimand, a monetary fine, a temporary ban on processing data, and/or a permanent ban on processing data.

With respect to enforcement, the EU Commission further explains that the fines imposed by the DPA must be “effective, proportionate and dissuasive.” Factors at play include:

  • the nature of infringement,
  • gravity
  • duration,
  • its intentional or negligent character,
  • mitigation efforts
  • damage to individuals,
  • the degree of cooperation of the organization.

Do we know what a “proportionate” fine looks like? Not really. But we do, as experts in the field of data protection, know how to build and document a solid cybersecurity and data protection program that will respect the GDPR principals.

On May 25, 2018, there is another change related to enforcement that goes into effect. For those of you that have read deeper into GDPR and its interpretation, the Article 29 Working Party goes away. This was a group of representative from each EU member state that issued guidance on GDPR implementation. This has been helpful for advisory companies like ours. They have answered questions like “do I need a DPO?” or “what DPA do I choose if I have offices in multiple EU countries?” We need these official answers. When GDPR takes effect, the Working Party is replaced by the European Data Protection Board (EDPB). The EDPB is also made up of representatives of all the member states. One of its jobs is to coordinate investigations across the 28 EU countries. We also know that the EDPR has its own power to bring enforcement action, in addition to the DPAs. Let’s hope they keep answering questions.

Here’s some information from a different vantage point:

In a May 16, 2018 article, the New York Times published an article on Ireland’s data commissioner, Helen Dixon, calling her one of tech’s most important regulators. Why the focus on Ireland’s data commissioner? Because Ireland is the European headquarters of Facebook, Twitter, Airbnb, Apple, Google, and Microsoft, which owns LinkedIn. Ms. Dixon will have authority to fine these tech giants up to 4 percent of their global revenue. The NYT article put that at about $1.6 billion for Facebook. That’s power.

However, the article also went on to cite a Reuters survey in which 24 (out of 28) EU privacy authorities answered questions related to their enforcement readiness. (Ireland did not participate.) “Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties,” reports the New York Times.

While the mechanisms for enforcement may not be fully implemented, the regulation will have profound effect. It already has. Companies everywhere are looking at how they manage their electronic relationships with people worldwide. Data privacy, as a concept, is being thought about and talked about. The requirements to protect that data will emerge – in one way or another.

Sera-Brynn offers GDPR advisory services, including readiness assessments, technical services to efficiently locate and protect personal data, assistance with policy writing, and fractional CISO services.

The analyst-author, Colleen Johnson, can be reached at