Helen Dixon confirms her office intends to use powers under GDPR to issue fines of up to €20m or 4pc of a company’s annual turnover from May 2018.
In a recent interview with Adrian Weckler from the Irish Independent, Ireland’s Data Protection Commissioner tells us what businesses can expect when the EU GDPR comes into full force on 25th May 2018.
Big & Small Entities Risk Fines for Non-compliance
Adrian Weckler (AW): “Are you willing to go the full distance in fining companies €20m?”
Helen Dixon (HD): “Yes. We have to be willing to. The legislature in Europe provided for fines up to that level because they believe in certain cases it may arise. Presumably, it would involve many users. But it’s absolutely the case that we will be imposing fines against big and small entities based on the issues that come across our desk and the areas of risk we identify. There’s nothing surer than this.”
No Leeway or Grace Period
AW: Will there be any leeway to ease companies into the new, stricter punishment regime?
HD: No. There’s not going to be any amnesty or first or second chances. On the other hand, the GDPR does set out criteria when we go to look at the quantum of fine we might impose.
We are obliged to take into account the level of co-operation between us and the regulated entity, the number of data subjects, the level of effect on the data subjects and any previous contraventions. But not an amnesty period of any description.
Court prosecutions no longer required, under GDPR the DPC office can levy fines directly.
AW: The GDPR doesn’t take full effect until May 2018, which is over a year away. But in one case highlighted by your office, Paddy Power paid a €500 charitable donation for having turned its customers’ wifi usage into spam text messages. What will make companies like that worry about further data privacy violations?
HD: Well remember that in the future, under the ePrivacy regulation which is currently in draft form, the same sanctioning powers and administrative fines powers as exist under the GDPR will be given to regulators.
So in the case of Paddy Power, rather than us bringing a prosecution to court and having a judge impose that charitable donation, we will be levying the administrative fine in that case. And we will be able to take into account any previous breaches by Paddy Power and all the other criteria that we’re obliged to take into account. We will then be able to levy a fine that is proportionate, effective and dissuasive in that case. So actually the game is changing. The powers we’ll have under the GDPR, both to fine and to promote the fact of the fine and the reasons for it, are going to change behaviours.
AW: You announced that your office will expand from 70 people this year to 130 in the next two years. How do you assess the level of resources that you have? Is it enough, given the expansion of services like Facebook and the imminent arrival of the GDPR?
HD: As data protection regulators, we’re unique in the regulatory landscape in that we supervise almost every type of entity. So there’s always going to be a limitation, no matter how big a data protection authority you are in terms of the quantity of entities you can supervise at any one time.
A full copy of the original news article can be found here: http://www.independent.ie/business/technology/data-protection-boss-vows-she-will-use-new-powers-to-fine-firms-up-to-20m-35657249.html?utm_medium=email&sslid=M7GwMDExNjA2N7O0BAA&sseid=MzQ1MzQztrA0NAUA&jobid=e1d901cd-529d-4999-bb46-9ba3f95691c2