The International Association of Privacy Professionals (IAPP) produces conferences all over the world geared towards those whose work intersects with physical and virtual world privacy issues. This year’s Washington DC Global Annual Summit was extremely informative and well worth attending.
While the summit had numerous interesting sessions on cutting edge issues like the combination of digital and physical world tracking, health privacy, cyber-security, ethics, ransomware, etc…, the over riding concern of many of the attendees was how will Europe’s new General Data Protection Regulation (GDPR) affect their clients.
Europe’s GDPR was designed to protect the personal information of individuals who are members of the European Union. The GDPR was adopted on April 27, 2016 and goes into effect on May 25, 2018. During this transition period, companies who may be affected by these regulations are trying to figure out how to ensure that they don’t run afoul of them.
I spoke with a couple of lawyers who work for European regulators (who requested anonymity to speak freely), and they both provided me the impression that the initial plan is to help companies comply with the new regulations before using their strongest enforcement tools. Absent some egregious violations, it appears that regulators may give companies some flexibility in the beginning to better understand how the regulations will be implemented.
The potential penalties for GDPR non-compliance may be a written warning, regular periodic audits, or a fine of up to 2% or 4% of the worldwide annual revenues of a violator. It appears that the reason for such potential steep fines is that in the past it has made economic sense for companies to violate the current privacy regulatory scheme.
When a company can make $50 million dollars by abusing its access to personal information but can only be fined several hundred thousand dollars or a couple of million dollars, its a business decision to violate the law. Its possible that these new regulations may hit U.S. based technology companies much harder than their EU counterparts. While this may be the case, I was told that these new regulations would be applied evenly across the board regardless of a company’s home country.
The bottom line is that companies that process the personal information of EU individuals must understand their legal and regulatory obligations. This point was made abundantly clear throughout the DC IAPP Summit.