Privacy compliance is complicated, but there are steps you can take to reduce the risk of fines for noncompliance. Often, European regulators will take your efforts into account when determining enforcement action. Here are four common elements that can have a significant impact on the amount of fines imposed.

4 Min Read

An $888 million fine against Amazon for alleged privacy violations of the European Union's General Data Protection Regulation (GDPR) has left many organizations wondering how they can protect themselves from similar compliance violations. The case focuses on how Amazon collects and uses personal data associated with the tech giant's EU headquarters in Luxembourg, according to Bloomberg.

The penalty that the Luxembourg National Data Protection Commission (CNPD) has proposed against Amazon surpasses the steepest GDPR fine to date, a $56.8 million penalty imposed on Google in France for its data-consent policies. In February, Marc Lemmer, a commissioner at the Luxembourg data protection agency, told Politico that the organization was not focused on hefty fines. "The aim is not to have big sanctions — the aim is to have a change in culture," Lemmer said.

Adopted by the EU in April 2016 and officially implemented in May 2018, GDPR aims to give individuals more control over how companies process their personal data. In 2020, we saw several fines in big tech stemming from GDPR — the 625 known fines issued as of May 2021 totaled $283 million in penalties.

The CNPD outlined a draft decision and proposed a fine for the GDPR violations, among 26 other national authorities in the bloc. The proposed fine provides an opportunity for companies to learn how to avoid similarly hefty penalties stemming from privacy violations as we start to see more fines with larger dollar amounts — fines that can total up to 4% of a company's annual revenue, the maximum allowed under the GDPR.

Following are four steps organizations should take to reduce the risk of privacy fines from GDPR:

1) Document Your Data Processing Procedures
Establish accountability by keeping a record of processing operations and document every step you take and everything you consider relevant as part of your data processing operations. Whatever you do with data, document what you are doing and why you are doing it.

Consider also keeping a library that contains internal policies and procedures, and spells out how the company meets the requirements set up in the law. These policies and procedures are called accountability mechanisms. Written policies and processes facilitate consistency. Consistency breeds compliance. Compliance breeds trust — and leads to positive interactions with regulators.

2) Leverage Your Privacy Team
Keep your privacy team in the loop regarding development of new products and services. Involve the privacy team in a timely manner in compliance efforts and rely on a qualified privacy officer or data protection officer. Follow the privacy officer's advice so that sensitive data will not slip through the cracks. Your privacy team can also provide compliance training to help reduce the risk of steep fines and drive privacy awareness.

3) Share How You Comply With Privacy Laws
Document your compliance. Being able to demonstrate on an ongoing basis how you comply with laws is what will make your program — and your response to regulators — successful. Complying without being able to demonstrate it means you have little to nothing to send or show regulators if requested. Sharing your processes on how you review ongoing compliance and keeping your records up to date can greatly reduce the risks of violating GDPR. Automated risk analysis and assessment management can help you review compliance. Knowing what regulations call for, doing what is required, and proving you know and did what is needed is a simple formula for managing compliance proactively.

4) Engage in Full Cooperation With Regulators
Coordinating, collaborating, and getting on good terms with regulators can reduce your risk of hefty fines. Of course, you don't need to provide more than is asked, but also don't provide less than was asked. A major factor in cases where companies receive a fine is failure to respond sufficiently to regulators. Often, Data Protection Authorities (DPAs) do not want to engage with companies directly to build a relationship, but to safeguard their independence.

The key is first, making sure you are taking the steps you need to take and documenting your efforts and activities, and second, cooperating. If you take these steps and put forth a diligent, concerted effort to comply with documentation and compliance reviews, the authorities will take good faith efforts into account and you can reduce your chances of incurring heavy fines for privacy violations.

About the Author(s)

K Royal

Associate General Counsel and DPO at TrustArc

K Royal is an attorney and global compliance professional with 25 years of experience in the legal and health-related fields. K has a particular interest in technology along with its challenges and opportunities. On a typical day, she works with GDPR. HIPAA, CCPA, incident response, policy writing, and building privacy programs, when she is not speaking or writing on cybersecurity, IoT, nonconsensual porn, whistleblowing in the EU, and other wildly exciting privacy/data protection topics. She is certified through the IAPP as a Fellow of Information Privacy (FIP), Privacy Management (CIPM), and US and EU Privacy Law (CIPP/US, CIPP/E) and through ISACA as a data privacy solutions engineer (CDPSE).

Paul Breitbarth

Director, Global Policy & EU Strategy at TrustArc

Paul Breitbarth is a privacy professional based in the Netherlands primarily focused on the international field. Paul's enthusiasm for privacy and data protection is combined in a senior role at the American privacy research and software company TrustArc and a visiting teaching position at Maastricht University. He is also a regular guest lecturer at other universities across Europe, including Erasmus University Rotterdam and the University of St. Gallen.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights