Everyone who works with data day-to-day (which is pretty much every business) will be aware of the GPDR and the threat that looms large around penalties for non-compliance by the deadline of 25 May 2018. But, just how big a bite can the regulator take out of a company’s funds, and will all offenders be treated the same, regardless of the infringement?
The GPDR goes further than any previous act in this area, giving data protection authorities more investigative and enforcement powers, and permission to levy more substantial fines than its predecessor, the Data Protection Directive.
That new starting point is key, because even basic violations will be considered serious, and can result in fines up to 2% of a company’s global revenue: Making even seemingly small slips ups very expensive!
New Directive, New Standards
Previously, under the data protection directive, each member state within the EU was free to adopt laws in line with the principles, which inevitably led to differences around implementation and enforcement between one member country and the next.
The new regulation closes the loop on difference and interpretation, ensuring uniformity across the EU. So, whether we like the shape or style - it’s a one-size-must-fit-all directive.
How Will It Be Managed?
Under the new framework, supervisory authorities will operate in one of three roles:
- Lead Supervisory Authority: will, as the name suggests, provide supervision for controllers and processors who have their key concerns located within the member state. This will allow them to lean on the guidance and follow the procedures of a single authority.
- Local Authority: will deal with complaints and infringements that only affect data subjects in its member state.
- Concerned Authorities: will step in when data subjects in their member state are affected in a significant way and will work alongside the lead supervisory authority to help manage any issues quickly and effectively.
By breaking the responsibilities up in this way, the regulator aims to achieve synergy, without losing the flexibility that may be required on territory-specific matters.
GDPR article 31 outlines a new requirement, placing responsibility for reporting breaches firmly in the hands of the business.
Companies will have 72-hours to notify the authorities after a breach of personal data has been discovered. And, where the breach poses a high risk to the rights and freedoms of the data subject, the business will be obligated to notify them too.
In such an event, an organisation will face fines if they don’t comply with breach protocol, and may face further fines for the breach itself.
Prevention, therefore, is better than the cure when it comes to data protection and compliance, and it is strongly advised that every organisation dealing with personal data puts in place a robust IT security system that not only reduces the risk of such breaches, but also enables data recovery.
How Will Fines Be Calculated?
Under Article 58, the GDPR provides supervisory authorities with the power to impose administrative fines under Article 83, based on several factors. These include:
- The nature, gravity and duration of the infringement. For example, how many people were affected and how much damage they were deemed to have suffered as a result of data loss or a data breach
- Whether the infringement was intentional or negligent
- Whether the controller or processor took any steps to mitigate the damage
- Technical and organisational measures implemented by the controller or processor
- Prior infringements by the data controller or processor
- The degree of cooperation shown to the regulator
- The types of personal data involved, and
- The way in which the regulator found out about the infringement - whether it was uncovered or reported
Fines Come In Two Tiers
- €10m or 2% of the company’s global annual turnover (whichever is greater)
If non-compliance is related to a technical inadequacy such as poor impact assessments or breach notification and certification, authorities have the power to impose fines up to €10 million or 2% of the global annual turnover from the previous year.
- €20m or 4% of the company’s global annual turnover (whichever is greater)
Failure to comply with key provisions of the GDPR come with even heftier fines and authorities are empowered to levy fines up to €20 million or 4% of global annual turnover.
Examples that might see you in this kind of hot water include a lax approach to the core principles of personal data processing, neglecting data subject’s rights around consent, privacy, etc, or transferring personal data to countries or international organisations that don’t extend an adequate level of data protection.
Both tiers come with the ‘greater than’ rule, which is obviously a key concern for companies with annual revenues that stretch to billions. A non-compliant company performing at this level could expect to be punished to the tune of hundreds of millions, not to mention the risk of negative press and potential loss of trust from its customer base.
How Can A GDPR Consultant Help?
Our minds may be set on Christmas, or even business plans for the new year, but May will creep up on us all very quickly, so time is of the essence, particularly for companies who still need to carry out full business assessments and security audits.
A certified GDPR expert should offer professionally-led assessments and the expert skills required to:
- Help your business better understand your new responsibilities
- Discover and categorise all data repositories and sensitive data
- Ensure your end-to-end processes and procedures are efficient and GDPR-compliant
- Scope and manage your business readiness project
- Implement the necessary data security and protection measures
- Troubleshoot any issues beyond the May deadline to keep your business on the right side of the law and potentially business-crippling fines
Implementing the tech and organisational upgrades your business needs will mean costs, whether you take on the challenge in-house or use a GDPR consultancy, but as with any IT spend, it must be seen as an investment, rather than an expense. After all, the question is not whether you can afford to make your organisation GDPR compliant, it’s whether you can afford not to.
As certified GDPR consultants, pebble.it can help your organisation understand what you need to do to avoid those hefty non-compliance fines, and advise on the processes you need to put in place to meet regulatory requirements.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist: