Roughly one-third of Connectria’s customers are either based in the EU or are doing business within the EU. For them, the risks of non-compliance with GDPR are significant.

GDPR Fines

Currently, GDPR has two levels of fines – upper and lower.

• Lower level: Up to €10 million, or two percent of the worldwide annual revenue of the prior financial year, whichever is higher.
• Upper level: Up to €20 million, or four percent of the worldwide annual revenue of the prior financial year, whichever is higher.

Note, this is global revenue, not simply EU-related revenues. If that sounds like a raw deal for small and midsized companies, especially those based outside of the EU, you may be right.

Say, for example, you’re an up-and-coming SaaS solution provider. Your current global revenues hover around $200 million, but you have plans to grow. Europe is one of your growth markets, and although your revenues from the EU are only 10 percent ($20 million), you expect them to be 50 percent or more of revenues in the coming years.

One small blunder, such as a misinterpretation of the regulations, could cost you $4 million – very likely, taking a significant chunk out of your operating budget. If you committed an upper-level transgression, it could cost you $8 million. Actually, per the levels above, the infractions could cost you roughly $11 million or $22 million if the ICO decides to pursue the maximum penalty. That small clause ‘whichever is higher’ makes a significant difference.

Diving Deeper into GDPR

Unfortunately, it gets even worse. While GDPR regulations establish an oversight board, the European Data Protection Board (EDPB), Article 70 makes it pretty clear that the board’s purpose is to provide guidance. They are expected to issue guidelines, opinions, and recommendations, but at the end of the day, they have little control over the actual fines issued by the member states. In the end, penalty levels may depend as much on where the case is adjudicated as on the actual infraction that occurred.

One issue we’re watching is whether fines can be levied by multiple countries for essentially the same violation. For example, a few months ago, France assessed a $57 million fine against Google. The investigation occurred in France instead of in Ireland, home to Google’s EU headquarters, due to where the decision that resulted in a violation occurred. But, it’s not clear whether, in certain scenarios, a company might be held liable in multiple countries.

Download the complete whitepaper: GDPR’s Impact on US-Based Companies.

The opinions expressed in this post and whitepaper are the result of our analysis of GDPR and other regulations. Always obtain the advice of qualified legal counsel when setting compliance strategies and policies.