With GDPR on the horizon, it is now important to discuss the complex issue of fines. While this blog neither gives legal advice nor predicts future actions of Europe’s privacy regulators, it does provide the basic facts.
It’s the fines associated with GDPR non-compliance that make this topic one for boardroom debate. GDPR isn’t a “paper tiger”. It has sharp teeth. Recent Symantec research on the state of privacy in Europe shows how seriously GDPR is being taken:
96% of organisations don’t fully understand GDPR
90% are worried about their ability to comply
26% in 2016 believed their organisation will fully comply by May 2018
22% in 2016 have GDPR compliance as top priority
Many of the customers I talk to about GDPR misunderstand the penalties, the risk and the consequences of failing GDPR compliance. I’ve met people who think that fines will go to the EU budget. Others are unsure whether local or global turnover is used to calculate fines. Some hope that Brexit may provide them with a safe heaven. A frequent statement is that “we are not going to be ready and none else will be either”. Another remark is that “do you really believe the authorities will start issuing fines up to 4% of companies’ global turnover”? Or “our investment in Europe is relatively small despite the fact that we serve a lot of Europeans. Why would the authorities target us?”
How stringent will regulators be?
In a recent meeting with the regulators and European officials some regulators seemed willing to “take industry by the hand” and lead them to compliance. Others want to be enforcers. At the moment, nobody knows for sure how enforcement will take shape. We do know that the fines are described in the law like this:
The penalties range from 2%-4% of global annual turnover but there is also a scaling.
The 2% or 10 million Euro, whichever is highest, is targeting a series of offences such as failing to take appropriate security measures.
The 4% or 20 million Euro, whichever is highest, means that something seriously bad has happened, such as an illegal data transfer or a repeated violation of the law.
What I will say is that your current compliance situation impacts the level of enforcement your organisation risks facing. The argument goes like this: the old 95/46/EC law follows largely the same principles like GDPR, but the latter is much more detailed and results oriented. However, because 95/46/EC has existed for 22 years, those already fully compliant with 95/46/EC can reach GDPR as an evolutionary step. Not being ready on time in 2018, but working your way up from 95/46/EC, doesn’t protect you but it is likely to get you into less trouble.
Those not in full compliance now with 95/46/EC have a tough road ahead. Why? If you haven’t met with 22-year-old standards by now you are less likely to be able to fulfil the requirements of GDPR anytime soon. This situation results in companies “rushing through” a GDPR compliance program. This is expensive but probably the only way to mitigate the risk.
GDPR expands the “risk surface”
95/46/EC created a system of “approximated” national laws. One of the consequences of “approximation” was that breaking the law in one country was hopefully “containing” the infraction. With GDPR the law is harmonised and full cooperation between data protection authorities is a key component of it. Consequently, a violation of the law in one EU jurisdiction may actually result into violations in multiple EU jurisdictions. Suddenly the “risk surface” is all of the territories within the EU that you do business, making it riskier to be caught breaking privacy rules.
GDPR has global reach
If you are doing business in Europe, even remotely, you must comply with GDPR. If serving EU customers directly or indirectly, GDPR will apply to you via contract. Factors to consider are the maturity of the privacy compliance program and the risk to data caused by an infraction. The size of your investment or presence in a country could be relevant depending on the circumstances.
What triggers an investigation?
What could actually trigger an investigation is complex. Here are three factors to consider:
Authorities could take action on their own initiative
For example if they receive information about a company’s new privacy policy and its impact on users. Here an inquiry into the use of the firm’s data may result into further investigation.Customers complain
With GDPR cross-border complaining is more effective and likely to involve more authorities. The level of fines make it more likely that a competitor or a disgruntled employee may also approach the authorities.Reporting or not reporting
This includes the obligation to report data breaches or certain privacy impact assessments. Having to report an incident or failing to have proper security that resulted in an incident may trigger an investigation that could disclose bigger privacy compliance challenges. Failure to meet a notification obligation (e.g. to report a breach) is an infringement that would trigger fines. Choosing not to report a data breach to avoid regulatory scrutiny or sanctions is not a viable strategy and could increase fines.
How soon we are going to see fines and how large?
The views among data protection authorities differ. Remember that fines based on global annual turnover are an idea that comes from EU competition law. However, the 10 million threshold of GDPR penalties has been already exceeded by recent decisions of the Italian Data Protection Authority. France and Germany have already taken steps to increase the sanction powers of their national data protection authorities in preparation for GDPR.
How are fines calculated?
By looking at the particular circumstances of every case. The recent Garante decision is a good example. Some of the factors that will be taken into consideration include:
The amount and type of affected personal data
The damage caused and seriousness of risk
The number of data subjects
The multitude of jurisdictions
The disposition of the company that broke the law, its compliance efforts, its presence in a particular country
How involved the authorities became and whether they have a history of imposing heavy fines
In reality at this stage it’s impossible to predict how exactly GDPR will be enforced. Any prediction may go out of the window if a major privacy scandal erupts. Something like the Snowden disclosures back in 2013. GPDR has real teeth and it’s becoming pretty clear that it will be a game changer in risk, enforcement, compliance and business practices. The less risky strategy is to focus on compliance than becoming a test-case in Europe. Often a question asked is whether one should apply GDPR across non-European data. A lot depends on the business model of every organisation but more and more practitioners seem to give the same answer. It is easier to have a single policy, a single standard across the organisation and the highest one at the moment is GDPR.
One should also remember that although the GDPR fines have attracted public attention, Data Protection Authorities have many more arrows in their quiver that may prove even more problematic than the fines. Decisions by DPAs such as ban of processing of certain categories of data or suspension of data flows can kill complete business models. In addition, unlike the fines that have the caps previously mentioned, the liability and right of compensation towards data subjects cannot be capped.
The good news for practitioners is that the prospect of large fines and damage to brand reputation will get you a conversation with the board! While that’s important at an operational level, I think GDPR offers so much more. It’s an opportunity to be far better than we are today at managing and securing information. Because information fires up competitive advantage, better information management means better business. Get the foundations of information management right with GDPR and your organisation will have its house in order, ready for a new level of success.