GDPR: Winter is Coming (and Enforcement is Too)

October 28, 2018

By: Amber L. Lawyer, Fred J. M. Price, and Sara C. Temes

After its implementation in May 2018, the European Union General Data Protection Regulation (GDPR) continues to dominate headlines in many industries, including technology. On September 25, 2018, Facebook discovered a security breach that exposed the personal information of approximately 50 million users. Facebook disclosed this breach within the 72-hour window required for disclosure under the GDPR. Despite the timeliness of the notification, the Irish Data Protection Commission indicated that Facebook could still face enormous fines for its inability to clarify the nature of the breach and risk to users at the time of notification. 

If a company violates data subject rights or fails to comply with required procedures under the GDPR, it can be fined up to four percent of its annual global turnover (revenue). Last year, Facebook reported more than $40 billion in global revenue. Therefore, Facebook’s potential fine could exceed $1.6 billion. 

In a recent interview, the European Union’s data protection supervisor, Giovanni Buttarelli, stated that the first GDPR enforcement actions are scheduled to begin in November—six months after the GDPR came into effect. In July 2018, the U.K’s Information Commissioner’s Office commenced its first formal enforcement action against a Canadian data analytics firm, AggregateIQ Data Services. Formal complaints against Facebook, Google and other large data-dependent technology companies have occurred since the effective date of the GDPR, resulting in ongoing investigations. Enforcement actions should help other impacted entities interpret the GDPR with greater precision. We will continue to monitor these developments as they unfold.

What does this mean for your business?

If your entity maintains an online presence it may be subject to the GDPR. For example, if your website collects any information about its users, whether through forms people submit on the website or through third party collections, such as Google Analytics, the GDPR likely impacts the way your entity collects, stores and processes data.

Bond’s Cybersecurity and Data Privacy team puts its thorough knowledge of the GDPR to work to assist our clients in developing compliance measures. We can help you bring your policies up to speed.