Banwo & Ighodalo Logo

Legal And Regulatory Implications Of The GDPR On Business Organizations: Basic Compliance Strategies For Non-EU Entities

PENALTIES FOR INFRINGEMENT  

The GDPR in Article 84(5) prescribes penalties of up to EUR 20 million for infringements of its provisions. Under the Regulations, a Data Protection Authority (“DPA”) in any Member State is empowered to impose fines of up to EUR 20 million, or in the case of an undertaking, 4% of annual worldwide turnover of the preceding financial year (whichever is higher) for infringements relating to

  1. transfers of personal data to a recipient in a third country or to an international organization;

  2. basic principles for processing, such as conditions for obtaining the consent of data subjects;

  3. the rights of subject data; and

  4. non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to the Regulations. 

For other infringements, such as relating to (i) the obligations of data processors and controllers, and (ii) data certification and data monitoring authorities; a fine of up to EUR 10 million shall be applicable, or in the case of an undertaking, 2% of annual worldwide turnover of the preceding financial year (whichever is higher). A DPA is required to consider the nature, gravity and duration of an infringement before arriving at appropriate sanctions to apply.

 

COMPLIANCE STRATEGIES 

Given the severity of the prescribed penalties for non-compliance, non-EU entities whose activities fall under the regulatory purview of the GDPR have an obligation to speed up their compliance process in the aftermath of the May 25 deadline and be in the same position with their EU counterparts. In this regard, the following are recommended as quick wins for affected non-EU entities working to attain full compliance with the GDPR:

  • Privacy Policy & Hack-proof IT System: Business entities should develop privacy policies for the use of their data processing systems/platforms in a plain and direct language easily understandable by data subjects. A compliant privacy policy should observe and respect the rights of data subjects as specified in the GDPR. For those who already have a privacy policy in place, existing consents may still work, but only provided they meet the new prescriptions in the Regulations. Entities must embrace privacy by design and default in accordance with Article 25 of the GDPR. In the same vein, organizations should invest in modern, hack-proof information technology (“IT”) systems with IT departments devising a strategy for establishing certification mechanisms and data protection seals and marks, that allow data subjects to quickly assess the level of data protection on their websites.

  • Appointment of a Data Protection Officer (“DPO”): Non-EU entities required to comply with the Regulations should establish a framework for accountability by appointing a Data Protection Officer (DPO), as prescribed in Articles 37, 38 and 39 of the GDPR. The DPO is to ensure that the privacy policy in place is not opaque or restrictive and that data security architecture installed is at all times not susceptible to hacking or cyberattacks. It will also be the duty of the DPO to ensure that proper documentation is done along the data processing line and that data retention is in compliance with the provisions of the GDPR. The DPO will also ensure that proper notification of any personal data breach is made to the appropriate supervisory authority or the affected data subjects, as the case may be, to avoid contravention of the GDPR.

  • Lawful Processing of Data: Another way by which affected non-EU entities can easily comply with the GDPR is by keeping their data processing activities within the areas classified under Article 6 as “Lawfulness of processing”. Essentially, activities qualified as lawful processing constitute permissible derogations under Article 49 of the GDPR. Accordingly, data processing and transfer shall be lawful only if, and to the extent that at least, one of the following applies:

    • The data processing is by a natural person in the course of a purely personal or household activity;

    • the data subject has given consent to the processing of his or her personal data for one or more specific purposes, after having been informed of the possible risks of such processing/transfer;

    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

    • processing is necessary for compliance with a legal obligation to which the controller is subject;

    • processing is necessary in order to protect the vital interests of the data subject or of another natural person;

    • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child. Public authorities are however exempted from this provision where they process data in the performance of their official tasks;

    • transfer of data is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

    • transfer of data is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

    • transfer of data is necessary for important reasons of public interest;

    • transfer of data is necessary for the establishment, exercise or defence of legal claims;

    • transfer of data is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; and

    • transfer of data is made from a register which, according to the EU or a Member State law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that laid down conditions in the law for such consultation are fulfilled in the particular case.