GDPR is going to be a big challenge to implement for organisations, but the consequences of breaches and failing to comply to GDPR can be huge. GDPR fines and penalties could potentially cripple an organisation if it fails to adhere to the new regulations.

BREACHES

If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself. There is no room for misinterpretation or excuses here – if the Supervisory Authority is not reached within the 72 hours, the notification of the breach must be accompanied by a suitable reason from the controller for the delay. A suitable reason would be something that is out of the controller’s power – a power outage, for example.

If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself.

“If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself.”

Notifying the data subject (i.e. person whose data is being held) is slightly different, though. The data subject must be notified of any potential breach UNLESS the data is anonymised – if the data is not immediately recognisable as the initial data sent by the subject. Pseudonymised or encrypted data hides what the data actually is via a mask or coding, with only a small number of people able to uncover the true meaning. If one doesn’t have the means to do that, the data is essentially useless.

 

Data can be thought of as raw facts and figures that appear to make no sense. We must put categories and context with the data for them to become information and knowledge. Hence, if a piece of data is hidden behind a mask or code, those who don’t know how to unlock the data, cannot even know what data they obtain.

 

FINES AND PENALTIES

The consequences for failing to comply to GDPR can be huge, but while you may see big figures bandied about, those are not necessarily the fine you or your organisation will receive. Each case will be considered against a set of conditions to judge whether a fine will be needed, and how much.

These conditions are:

  • How big and widespread the infringement was and how much and how many data subjects it affected. The type of data affected will also be considered.
  • If there was any (intentional) neglect from the organisation concerning the infringement.
  • Whether the data controller took action to prevent damage to the data subjects (EG: if there’s a breach, the 72 hours you have before notifying the Supervisory Authority can be used for you to minimise the damage to your customers, sort the breach, set up suitable preventions, then notify the Supervisory Authority – this will potentially help your case.)
  • How your data was protected initially will also be considered, though. If an organisation does not have suitable security measures in place, and don’t show demonstrable controls, this will negatively affect the organisation’s case.
  • The responsibility of the processor or controller and if they have had any previous infringements.
  • The cooperation with the Supervisory Authority to fix the infringement.
  • How the Supervisory Authority became aware of the infringement.
  • The extent of adherence to specified codes and conduct by the Supervisory Authority.
  • And any other factors relevant to the specific infringement in case, including but not limited to financial gains and losses.
A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater.

“A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater.”

A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater. This is again dependent on a certain set of circumstances (including lack of compliance with the Supervisory Authority) and these figures can be lower (up to 10,000,000 Euros and 2%) because of that. The important phrasing here though is “up to”. It will be unlikely that any organisation will be fined 10,000,000 Euros unless they severely infringe on the regulations and the data affected is of high risk.

Remediation costs will also significantly affect organisations post-breach. Depending on an organisation’s size, how many employees they have and how many data records are affected by a potential breach impacts any remediation costs for the company. Using the supermarket chain Morrisons as a recent example, they lost 100,00 employee records – with current estimations of remediation costs, the minimum cost Morrisons could potentially be looking at is £75 million. This is a huge cost alone to remedy any breach, and this figure will be huge for any organisation.

These consequences still seriously highlight the need to comply with GDPR thoroughly and securely, and it’s vital to get your business or organisation fully compliant before the regulations come into place in May 2018. Ask us now for a Gap Analysis or GDPR project delivery.

 

The source for much of this information comes from “Guidelines on Data Protection Officers” a comprehensive guide on all things GDPR and a vital read for any Data Protection Officers.

You can also read our take on Equifax’s breach and lack of compliance with GDPR right here: https://activaconsulting.co.uk/activa-consulting-news/equifax-affected-under-gdpr-laws/