The General Data Protection Regulation (GDPR) is the biggest update to personal data rights ever. As well as, giving European citizens far greater control over the personal data held by organisations worldwide, the new regulation outlines some particularly stringent penalties for breaches.
Article 83 of the GDPR outlines the conditions for imposing administrative fines on parties found to have misused or exposed personal data.
When defining penalties for personal data infringements, European lawmakers had two goals. First, fines need to be suitably harsh to underscore how serious the issue of personal data protection is, and to disincentivise firms from “cutting corners”. Second, the financial penalties reflect the increasing value of personal data in the information economy.
According to Article 83, Chapters 4 and 5 of the regulation, fines are calculated on a case-by-case basis and are split into two tiers depending on the size of the company involved. At the lower tier, the GDPR maximum fine is €10 million or 2% of global turnover. Breaches at the higher tier could attract administrative fines of €20 million or 4% of global turnover – whichever is higher. For a FTSE 100 company, that may be as much as £5 billion.
The exact size of the fine will depend on a number of mitigating factors. When investigating a breach, the Information Commissioner’s Office (ICO) will need to look at:
- The nature, gravity and duration of the breach. The more people affected, the more serious the incident.
- The intentional or negligent character of the infringement. Has the company been actively working to protect personal data?
- Technical and organisational measures that have been implemented by the organisation. Is the company applying security best practice principles to protect data?
- Have there been any previous infringements by the organisation or data processor. Is this an indication that the company is consistently failing to take personal data security seriously?
- The types of personal data involved. The ICO considers some personal details to be more sensitive than others.
- The way the regulator found out about the infringement. Was the issue reported by the organisation (a legal requirement), or by a third party whistleblower?
Essentially, data regulators will want to know what was exposed/lost, how the breach happened, and whether the organisation was following actively working to improve security. They will then use these insights to define an appropriate GDPR sanction.
We are still awaiting the first test cases, so the size of fines levied remain unclear. According to the UK consumer group Which?, “GDPR is not about issuing big fines, and it’s unlikely ICO will stray far from the size of fines it’s issued in the past.”
GDPR Article 83 says that fines must be “effective, proportionate and dissuasive” – rather than harshly punitive. The ICO’s most recent annual report shows that of the 18,300 cases reported, only 16 serious data breaches were prosecuted in the 2016/2017 financial year, totalling just £1.6 million.
It is incredibly hard to estimate how much a “proportionate” GDPR fine may be. Assuming that the ICO continues with their current strategy however, average fines will probably be in the region of £500,000 – £1 million.
Victims’ Rights to Compensation and Liability
Many businesses will have heard about the GDPR maximum fine before. Less well known in the issue of liability.
Under Article 82 of the General Data Protection Regulation, individuals have the right to seek compensation of any material and/or non-material damages resulting from an infringement of the GDPR. More worrying still is that not-for-profit bodies can bring representative action on behalf of individuals in some circumstances.
In the event of a large-scale data loss event, businesses may find themselves on the receiving end of a mass claim, adding many millions more to the overall cost.
Because GDPR fines are levied based on the illegal behaviour of the firm involved, it is not possible to insure against fines either. The only way a data controller will be able to recoup monies will be by proving their third-party data processor was at fault and pursuing them through a civil case.
GDPR fines and privacy infringement lawsuits have the potential to seriously disrupt a business. But the fall out following a personal data breach may be even larger than the fine itself.
According to a report from Ponemon Research;
“The economic value of reputation and brand ranged from less than 10 percent to greater than 5X [annual revenue]. Again, depending upon the type of breach, the value of brand and reputation could decline as much as 17 percent to 31 percent of annual gross revenues.”
In its conclusion, the Ponemon study estimates that it takes an average of 11.8 months to restore damage caused to the affected brand’s reputation. This observation is reinforced by another report published by Kaspersky Internet that claims 58% of consumers would avoid a brand that had recently experienced a data or security breach.
Given that GDPR is still relatively novel, early cases are sure to attract plenty of media attention. With much unwanted publicity surrounding these test cases, the damage to reputation following a personal data incident could be even greater.
Can you Reduce the Fine?
In the event of a breach, can your business reduce the GDPR fine? When investigating incidents, the ICO looks at a few mitigating issues that will help to soften the blow, including:
- Code of conduct adherence. By signing up to a suitable code of conduct, you demonstrate an important commitment to the principles of personal data privacy.
- The degree of cooperation between you and the ICO to remedy the infringement. Working closely with the regulator to make things right is a positive step in the right direction.
- Taking action to mitigate the damage suffered by individuals following an event is also seen as positive.
Even if you put all these concepts in place, they will not help your business escape a sanction – but they will help you to avoid the most severe maximum fines described above.
It is currently unclear whether organisations will have the right to appeal GDPR fines. The regulation does not exclude the possibility, but an appeal would depend on the type of breach and data exposed, the jurisdiction and the powers of the data protection commissioner within the jurisdiction.
Appealing a fine is likely to be extremely expensive too, adding to the overall cost in the event of failure.
The Best Defence Against GDPR Penalties? Preparation
Fines under GDPR could be extremely large. Factor in the potential for liabilities and damage to the company reputation, and it becomes clear that losing personal data belonging to EU citizens could bankrupt a business.
The best way to avoid sanctions is to achieve and maintain GDPR compliance. Investing in systems that help to understand the personal data being collected and stored, and to secure information in your possession, will dramatically reduce the risk of breaching the General Data Protection Regulation.
Preparation now will be far less costly than being the subject of an ICO GDPR investigation.
To learn more about GDPR fines, and how to ensure your business systems and processes are fully compliant, please get in touch.