Europe’s GDPR is widely-discussed in today’s news cycles and for good reason. The regulation impacts many organizations throughout the world, and violations of the regulation can result in material fines. One aspect that isn’t widely discussed but an organization facing the possibility of a GDPR fine would want to know is how violations are identified and fines decided upon. In other words, what’s the enforcement framework for GDPR?

Because the European Union (EU) is a union and not a federal government, its laws and regulations are directly enforced by its Member States. GDPR has required each Member State¹ to establish at least one independent supervisory authority (commonly referred to as data protection authorities, or DPAs), and these entities have responsibility to enforce GDPR in their respective Member State². 

GDPR Enforcement Process

Figure 1: GDPR’s Enforcement Process

Before the regulation can be enforced, a DPA must first find out that if an organization has potentially violated GDPR. This discovery occurs in one of three ways:

  1. A DPA conducts an audit of an organization
  2. An organization reports a violation through its appointed data protection officer (DPO)
  3. A complaint is lodged by an individual against an organization 

When a potential violation has been identified, the DPA begins investigation to determine if a violation has actually occurred and if it has, its impact (if a violation impacts individuals residing in more than one Member State, the DPA of the Member State whose residents were most affected takes the lead role).

Once an investigation has concluded, the (lead) DPA may issue the violating organization a monetary fine. We’ll discuss fines in our next article, but know for now that fines are to be “effective, proportionate and dissuasive” while taking into account the following (Article 83):

  • The violating organization’s:
    • Size 
    • Posture towards privacy
    • Attempts to mitigate the effects of violations
    • (If applicable) Previous GDPR violations
  • The types of data involved
  • The type of the violation, such as a(n):
    • Unapproved data transfer
    • Data breach

From here, the process differs by each Member State, which are instructed by GDPR to create their own laws that govern how their respective DPAs may exercise authority. For example, the United Kingdom’s DPA (called the ICO) generally:

  • Issues a preliminary findings and monetary fine
  • Allows the organization & affected individuals to comment on the findings and fine
  • Delivers a final decision

Regardless of if an appeal process exists in a given Member State, once a fine has been issued, the violating organization will have to pay that fine. 

¹As of July 2019, the EU Member States are (listed alphabetically): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Spain, Sweden and the United Kingdom

²DPAs have other responsibilities as well, but this article focuses solely on DPA’s enforcement responsibilities