Data protection watchdogs may look to make an example of a large organisation if it does not comply with the major EU law being introduced this month, a legal expert has said.
The General Data Protection Regulation (GDPR) is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy.
It not only applies to organisations within the EU but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
The GDPR will come into force on May 25.
Head of law firm RDJ’s cyber and data protection group, Bryan McCarthy said a key question organisations were asking was what did compliance actually entail.
“We are clear on the various obligations on data controllers and we know that one of the most important changes under GDPR is being able to demonstrate compliance.
“As the fundamental principles relating to the processing of personal data apply to many of the same operations of an organisation, it is difficult to gauge overall compliance in terms of simple pass or fail.
“I have been assisting my clients over the last number of months as they prepare for the coming into force of GDPR and crucial to this is what I describe as the ‘compliance posture’ of an organisation.”
He said the two year lead-in time for GDPR was almost up and at the end of this month, the Data Protection Commission will be responsible for monitoring and enforcing the application of the new law.
“It may be the case that the Data Protection Commission makes an example of a large organisation or undertakes a particular industry or sector-wide review. However for SMEs and smaller companies, their overall compliance posture is going to be key,” Mr McCarthy said.