General Data Protection Regulation (GDPR) has major implications for how companies can handle European Union (EU) consumers’ personal data.
Companies that fail to comply with GDPR can be fined up to €20M or 4% of their annual revenue for the previous fiscal year, whichever is greater.
Learning about GDPR enforcement can help you understand and reduce your compliance risk. Keep reading to learn when the law went into effect and who enforces it.
When did GDPR go into effect?
GDPR went into effect on May 25, 2018.
GDPR was first adopted by the European Parliament and European Council in April 2016, but member states of the EU were given a two-year grace period before enforcement began.
In this time period, member states could make small changes to meet their needs. But they were expected to ensure the GDPR was fully implementable in their countries by May 25, 2018.
By this date, organizations that process the personal data of or offer goods/services to EU residents were expected to be GDPR compliant.
Who enforces GDPR?
Data protection authorities from each of the 27 EU member states enforce GDPR. Data protection authorities are independent of the government and have both investigative and corrective powers to monitor the application of GDPR and address non-compliance.
Their responsibilities include investigating complaints, providing expert advice on data protection issues, and determining when the GDPR has been breached. They may also issue fines.
All data protection authorities work together as a group on the European Data Protection Board (EDPB). The EDPB’s objective is to ensure that GDPR enforcement is consistent across the EU.
EDPB does not enforce the data protection law. Instead, it provides data protection authorities with general guidance on the key concepts of the law. It also advises the European Commission on data protection and privacy legislation or issues.