March 26th, 2018 | Sterling

Who are the Regulators of the Data Protection Laws under the GDPR?

Sterling has produced a 10-part webinar series about the changes to personal data protection in the European Union when the EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018. The webinars share key steps hiring managers, HR and legal personnel can take now to help ensure full compliance from day one. The first webinar in the series, “What You Need to Know with 12 Months to Go” introduced the changes to data privacy laws to come. The tenth and final webinar in the GDPR series, “Regulators, Enforcement & Fines” is now available on demand. Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher of Sterling, explains who regulates and enforces the guidelines put forth by the GDPR and what fines or reprimands could occur if the guidelines are not followed.

What are Data Protection Authorities?

The Data Protection Authority (DPA) or “supervisory authority” is the national regulator that is responsible for enforcing data protection laws and provides guidance for the interpretation of the laws. There is a DPA for each EU Member State, and in some cases, at the sub-national level. The characteristics of a DPA are:

  • Competencies: Under the GDPR, DPAs are required to monitor the application of the GDPR and facilitate the free flow of data of the EU and cooperate with each other and the European Commission to assure consistent application of the GDPR.
  • Powers: The legal powers of DPAs are largely unchanged under the GDPR. DPAs will monitor and enforce the application of the GDPR, hear claims brought by individuals or their representatives, establish a requirement for data processing impact assessments, encourage the creation of codes of conduct and keep records or sanctions and enforcement actions.
  • Cooperation: Cooperation with the DPA is crucial and failure to cooperate with a DPA could lead to substantial administrative fines.

What is the “One Stop Shop”?

For companies that operate across multiple EU member states, the GDPR introduced the concept of the “One Stop Shop” which details the idea of one single lead DPA or regulator instead of a regulator in every EU Member State. This will be the main regulator that an organisation will deal with for data privacy regulations. The “One Stop Shop” applies to companies operating in multiple EU member states, or it can pertain to a business which is operating in only a single member state, but who conducts cross-border processing which would have a substantial effect on individuals. Background screening would be an example of this.

To determine the lead authority for a company they must first determine where their main establishment or where their company’s headquarters are located and main decisions are being made. From a background screening perspective, this is where the decisions about the screening programmes are made or are given final sign-off or where the decisions about screening programmes are based.

The one-stop shop mechanism only affects organisations with their main establishment in the EU. After Brexit, UK organisations might not be able to participate in the one-stop shop mechanism. Therefore, UK based companies might have to work with multiple regulators for every EU member state in which there is access.

The Level of Fines under the GDPR

In general, fines under the GDPR are not applied automatically. A DAP might decide to issue minor infringements and reprimands instead of a fine. However, there needs to be a consistency mechanism set in place to reduce the possibility for variations in decisions across EU member states. For example, one DPA might issue a reprimand while another would issue a fine for the same infringement.

There are two levels of fines depending on infringement and there is a cap on the fines that can be given. To determine a fine, the DPA must take the following factors into account:

  • Nature, gravity, duration, number of data subjects and level of damage
  • Intentional or negligent infringement
  • Actions taken to mitigate risk based on infringement
  • Degree of responsibility
  • Relevant previous infringements
  • Degree of co-operation with DPA
  • Categories of personal data affected
  • Whether infringement was notified to DPA
  • Previous history of enforcement
  • Other aggravating or mitigating factors

Maximum fines for certain infringements are €10m or 2% annual of an organisation’s annual global turnover or whichever is greater. The infringements for the lower level fines include not complying with privacy by design principles of the GDPR, not cooperating with regulations set by the DPA, not maintaining proper written records, incorrectly conducted DPIAs and not having the proper DPO in place.

Other infringements, however, are subject to higher fines of up to €20m or 4% annual of an organisation’s annual global turnover or whichever is greater. The infringements for the higher-level fines include not following the basic principles of processing, including the conditions for consent, not complying with data subject rights, failing to process international transfers correctly, not following obligations under EU Member State laws and not complying with DPA orders or failure to comply with a DPA investigation.

Importance of a Background Screening Policy

Having a well thought-out, compliant and documented background screening policy could help demonstrate compliance to a regulator in case of investigation or compliant. For a company who relies on background screening information for their hiring process, it is recommended to have a background screening policy in place. Reach out to your background screening provider to ensure your agreements cover GDPR-related compliance. Companies should also consider running a GDPR gap analysis on their screening program to identify and address any significant compliance issues.

Sterling has been planning since 2016 for the GDPR changes that go into full effect on 25 May 2018. One way to stay up-to-date on the provisions of the GDPR and make sure that your organisation is compliant is to sign-up for the Sterling GDPR 10-part webinar series. The On-Demand webinars tackle the many aspects of the GDPR, from privacy notices to definitions of the data privacy regulating bodies and how the changes will impact the background screening industry. Sign up today for these informative webinars.

Please note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.