Can you be fined for failing to respond fully or promptly to a data subject access request? In a word, yes. Remember, EU regulators can impose the maximum 4% GDPR for violations of privacy requirements and this includes data subject requests pursuant to Articles 12 to 22. Under the GDPR, already we have seen businesses being fined anywhere from a few hundred dollars to tens of thousands of dollars for failing to fully respond to data subject access requests.
Under the CCPA, for fines and enforcement, the maximum penalty of the CCPA is $7,500 for intentional violations of the CCPA. Other violations lacking intent are subject to a $2,500 maximum fine.
In other countries with GDPR-like privacy regulations, such as Brazil’s LGPD, the fines may be less severe. Article 52 of LGPD states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals”. However, it should be noted, that the timeframe for time to respond is 15 days, which is much shorter than either the GDPR or CCPA. The bottom line is prompt and complete subject access response for consumers and employees is an imperative.
If you want to learn more about privacy and compliance, 2B Advice offers a variety of data privacy software solutions for any size business – contact us today to learn more.