[BreachExchange] GDPR fines: How high are they, and how can you avoid them?

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 2 10:06:30 EDT 2018


With the EU's General Data Protection Regulation (GDPR) set to come into
play in less than a month, organisations are racing to comply with the new
set of rules governing data protection for the modern age.

One of biggest headline-grabbers of the new rules - which seek to empower
people with more control over how their data is used, and simplifying data
protection law across the continent - has been the massive financial
penalties organisations could face if found to have suffered a breach.

Dizzying fines of up to €20 million or 4% of global annual turnover
(whichever is higher) are outlined in the legislation for organisations
that fail to adhere to GDPR or that suffer a data breach.

This is far more than the current cap on financial penalties, with
organisations in the UK currently facing fines of up to £500,000 for
breaching the Data Protection Act 1998.

The huge increase speaks to a greater onus placed on the value of data in a
digital landscape, particularly where companies, most significantly tech
giants like Facebook, have profited from the unregulated use, exchange, and
in many cases - as the recent Cambridge Analytica scandal has shown -
exploitation, of data.

A tiered approach to fines

Although the maximum penalty of €20 million, or 4% of global annual
turnover stole the headlines, there is actually a two-tiered approach to
fines under GDPR; with each tier corresponding with the severity of

Article 83 of the GDPR outlines the two tiers, as well as how they will be
administered; the lower tier a maximum fine of €10 million, or 2% of global
annual turnover, and the higher tier a maximum fine of €20 million, or 4%
of global annual turnover.

Lower tier fines will be administered to organisations who contravene areas
relating to integrating data protection 'by design and by default', keeping
records of data processing, cooperating with the data regulator,
communicating a personal data breach to a data subject or a regulator, and
designating the position or tasks of a data protection officer, among

Higher tier fines, meanwhile, will be reserved for more serious
infringements, including breaches of a data subject's rights and freedoms,
failing to follow basic principles for processing personal data including
consent, and of non-compliance with a prior order or a limitation imposed
on processing data.

Will you always be fined the maximum?

Despite what vendors marketing apparently GDPR-friendly software and
services say, fines almost certainly won't reach the scale outlined under
GDPR for the vast majority of organisations.

The regulations themselves make clear all fines issued will be administered
on a case-by-case basis, in the spirit of being "effective, proportionate
and dissuasive".

Regulators will take into account the nature of the infringement, its
gravity and duration, the scope and nature of an organisation's data
processing, as well as the number of data subjects affected and the level
of damaged they have suffered.

The legislation also makes clear that intention, and scope for negligence,
will be taken into account, as well as any previous efforts taken to
comply, and any actions taken to mitigate damage to affected data subjects.
This means organisations should document all processes, and show their
working to prove to the data protection regulator that they are doing
everything possible to comply.

Other factors will include an organisation's history when it comes to
infringements, the categories of personal data affected, how quickly any
infringement was reported, and the level of cooperation with the data
regulator. For the UK, that's the Information Commissioner's Office (ICO).

James Pressley, associate solicitor at law firm Kirwans, cited a case where
the ICO issued Carphone Warehouse a fine under the Data Protection Act of
£400,000 - 80% of the maximum fine, also citing Whatsapp's purchase by
Facebook and the undertaking the messanging service gave to the ICO not to
transfer any Whatsapp UK user data to Faceboo.

"When dealing with organisations of that size, it is easy to imagine that
fines of the new GDPR limits could be considered 'proprtionate'," he said.

How will the ICO operate post-GDPR?

The ICO, charged with enforcing data regulation in the UK, has gained a
reputation for being a conservative regulator, inclined towards leniency.
For example, of the 18,300 data protection cases it handled in 2016/17 - it
issued just 16 fines totalling £1.6 million for serious breaches, according
to its last annual report.

Given the scale and severity of fines set to be imposed under GDPR - 40
times greater than the current maximum of £500,000 - as well as soundings
by the Information Commissioner, Elizabeth Denham, all eyes are on the ICO
as to how it will operate once the newdata protection rules come into force
on 25 May.

"And while fines may be the sledgehammer in our toolbox, we have access to
lots of other tools that are well-suited to the task at hand and just as
effective," Denham said in a speech last August.

In the same speech, she reassured organisations that "predictions of
massive fines under the GDPR that simply scale up penalties we've issued
under the Data Protection Act are nonsense," indicating the ICO will
continue to operate in much of a similar vein to how it has been thus far,
with fines a last resort.

However, Denham also dismissed predictions of a 'grace period' for
compliance in which the ICO will be lenient in the first few months
following the introduction of GDPR, given businesses have had two years to

"Elizabeth Denham, the current Information Commissioner, has given the ICO
a higher profile and made it more proactive, with actions including, for
example, the recent raids on the offices of Cambridge Analytica," Pressley

"It would be entirely consistent with that approach for the ICO to
demonstrate its new powers by imposing substantial fines, which would serve
the dual purpose of bringing many private organisations into line."

She also indicated that infringements in any areas previously covered by
the Data Protection Act 1998 would be viewed dimly. Conversely,
organisations that self-report areas of non-compliance would be looked on
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180502/26ca9e18/attachment.html>

More information about the BreachExchange mailing list