EU GDPR Fines Clarified – Cutting through the ‘FUD’

The blogspace is a flood with fear, uncertainty and doubt (FUD) tactics pumping up the pending European General Data Protection Regulations (GDPR). The headline grabber and favourite being the €20m or 4% fines applied to global turnover (NOT profit) for infringement. This level of fine is somewhat eye watering taken raw. However, ensure you take a good dose of reality check can prove as good as a spoonful of sugar to help the medicine go down, so read on.

Few of the pundits seem to point out that there are 2 (two) tiers of fines in the GDPR and not every infringement will incur the headline grabbing €20m or 4% of global turnover. Furthermore, fines for infringements will be considered on a case-by-case basis taking several criteria into consideration as detailed in Article 83 of the Regulation. Summarised as follows:

Tier 1 – €10m or 2% of global turnover fines will be considered for infringements listed in Article 83(4) of the Regulation, notably:

• Article 8 – Conditions applicable to child’s consent in relation to information society services
• Article 11 – Processing which does not require identification
• Article 25 – Data protection by design and by default
• Article 26 – Joint controllers
• Article 27 – Representatives of controllers or processors not established in the Union
• Article 28 – Processor
• Article 29 – Processing under the authority of the controller or processor
• Article 30 – Records of processing activities
• Article 31 – Cooperation with the supervisory authority
• Article 32 – Security of processing
• Article 33 – Notification of a personal data breach to the supervisory authority
• Article 34 – Communication of a personal data breach to the data subject
• Article 35 – Data protection impact assessment
• Article 36 – Prior consultation
• Article 37 – Designation of the data protection officer
• Article 38 – Position of the data protection officer
• Article 39 – Tasks of the data protection officer
• Article 41 (4) – the obligation of the monitoring body
• Article 42 – Certification
• Article 43 – Certification bodies

Tire 2 – €20m or 4% of global turnover fines will be considered for infringements listed in Article 83(5) of the Regulation, notably:

• Article 5 – Principles relating to processing of personal data
• Article 6 – Lawfulness of processing
• Article 7 – Conditions of Consent
• Article 9 – Processing of special categories of personal data
• Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
• Article 13 – Information to be provided where personal data are collected from the data subject
• Article 14 – Information to be provided where personal data have not been obtained from the data subject
• Article 15 – Right of access by the data subject
• Article 16 – Right to rectification
• Article 17 – Right to erasure (‘right to be forgotten’)
• Article 18 – Right to restriction of processing
• Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
• Article 20 – Right to data portability
• Article 21 – Right to Object
• Article 22 – Automated individual decision-making, including profiling
• Articles 44 to 49 – Transfers of personal data to third countries or international organisations
• Article 58 (1) – failure to provide access
• Article 58 (2) – non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority

and any obligations pursuant to Member State law adopted under Chapter IX:

• Article 85 – Processing and freedom of expression and information
• Article 86 – Processing and public access to official documents
• Article 87 – Processing of the national identification number
• Article 88 – Processing in the context of employment
• Article 89 – Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• Article 90 – Obligations of secrecy
• Article 91 – Existing data protection rules of churches and religious associations

OK not much consolation for any SME (Small Medium Enterprise) organisation to get whacked by even the lower tier. The point though is that whilst the fines are there, the regulations state that their intent is to be ‘effective, proportionate and dissuasive’.  The interpretation being the threat should be enough to ensure compliance and render the fines unnecessary.

Sadly, experience with other regulations tells a different story and many organisations will try to duck and dodge their obligations. This has always been the challenge in the SME sector which regrettably is the one that is the most exposed as they often lack the budget and mindshare in the face of making payroll each month. The biggest challenge is the starting point for SME’s who do not have a current baseline compliance with the existing regulations. Their mountain is all the steeper to climb by May 2018 as a big factor in GDPR is organisational cultural adaption and discipline to data privacy principles that does not change easily.

The May 2018 deadline is the enforcement date NOT the date at which organisations need to start thinking about GDPR. It will take many months for an organisation that has not complied with current Data Protection Regulation if not years for larger organisations to re-orientate their cultures. For those who have grasped the nettle and invested in compliance under the existing data regulatory regime, the task will be much easier as GDPR builds on that foundation.

This goes to what is at the heart of the EU GDPR expectation of organisations.  This can be summed up by the six key principles (Article 5) that state Personal Data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject.
2. can only be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes.
3. adequate, relevant and limited to what is necessary for the purposes for which they are processed.
4. accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard for the purposes for which they are processed, are erased or rectified without delay.
5. kept in a form such that the data subject can be identified for no longer than is necessary for the purposes for which they are processed.
6. processed in a manner that ensures appropriate security.

Addressing these will demonstrate the best that can be expected in the absence of a clear definition of GDPR ‘compliance‘.  With the caveat that attention to the detail as in the prior Data Protection Legislation was always where the real compliance challenge lies and the short list of 6 principles embodies the larger list of obligations noted above.

Vendors, Consultants and service companies alike are jumping on the GDPR bandwagon and wielding the fines like a blunt instrument whilst applying that tradition of ‘cut and paste’ marketing to rejuvenate languishing offerings with a GDPR spin. Whilst many of these solutions may be functionality practical in addressing some aspects of the EU GDPR core principles, applied in isolation they will have little more effect than that of monkeys in a box and a plague on your houses budget and time. For organisations confronted with the realities of the new EU GDPR obligations this air cover of vendor ‘FUD’ is not helpful.

So, don’t get the cart before the horse, defer technology expenditure specifically relating to addressing GDPR requirements till a GDPR plan has been clearly mapped out and signed off by the business. A good starting point being a Data Protection Impact Assessment (DPIA). Furthermore, these assessments tick the first box that otherwise could risk exposure to a fine, as a lack of DPIA or diligence in undertaking your DPIA is one infringement that will get you fined (Article 37 as noted above), albeit at the lower tier.

An important dimension to any such assessments is the Supply Chain. It is worth remembering that Data Breach (and exposure to fines) can impact multiple organisations, Data Controllers and Processors as well as GDPR Certifying Organisations. This has supply chain implications that cannot be ignored and appropriate measures need to also be put in place to manage that supply chain exposure or yes you guessed it, fines.

Just as the supply chain can magnify the exposure to fines for organisations, there are other fines that will come into play as data breach transparency exposes organisational malpractice. Individual damages for loss or harm are UNLIMITED on an individual basis. Imagine just a handful of data subjects suing an organisation for significant personal harm/damages. Now multiply that up against only a modest breach of 100,000 data records and the value of organisational readiness for GDPR becomes a crystal clear imperative.