Administrative Fines

GDPR: Administrative Fines for Data Breach, 4% or 2%?

As we all know, and as we are all sick to death of hearing, the final version of the GDPR dated 27th of April 2016 has, in Article 83, provision for the “imposition of administrative fines”. Having read through that Article (General conditions for imposing administrative fines) about a 1,000 times I came to the conclusion that the:

  1. 4% / €20M fines were going to be reserved for infringements of processing (data subject rights, legal basis for processing etc.); and
    o
  2. 2% / €10M fines would cover data breaches

From that point forward I was on a mission to embarrass any cybersecurity organisation using the GDPR fine structure as a launchpad into a bulls*** sales pitch. Because they always, I mean ALWAYS, used 4% /€20M as their benchmark.

But why am I so convinced that it’s 2% not 4%? First, you have to take a very close look at the Articles to which the individual fine structures refer.

Article 83(4) (2% / €10M) refers to (sorry, this a long list):

  • Article 8 – Conditions applicable to child’s consent in relation to information society services
  • Article 11 – Processing which does not require identification
  • Article 25 – Data protection by design and by default
  • Article 26 – Joint controllers
  • Article 27 – Representatives of controllers or processors not established in the Union
  • Article 28 – Processor
  • Article 29 – Processing under the authority of the controller or processor
  • Article 30 – Records of processing activities
  • Article 31 – Cooperation with the supervisory authority
  • Article 32 – Security of processing
  • Article 33 – Notification of a personal data breach to the supervisory authority
  • Article 34 – Communication of a personal data breach to the data subject
  • Article 35 – Data protection impact assessment
  • Article 36 – Prior consultation
  • Article 37 – Designation of the data protection officer
  • Article 38 – Position of the data protection officer
  • Article 39 – Tasks of the data protection officer
  • Article 41(4) – Monitoring of approved codes of conduct
  • Article 42 – Certification
  • Article 43 – Certification bodies

It’s clear that the vast majority of these are related to the ‘administration’ of an organisation’s GDPR compliance, and the ONLY 3 Articles related directly to either data security or breach notification are contained here in full. In other words; take the RUNNING of your compliance program seriously, including the confidentiality, integrity and availability of the data itself.

Article 83(5) (4% / €20M) refers to (sorry again, another long list):

  • Article 5 – Principles relating to processing of personal data
  • Article 6 – Lawfulness of processing
  • Article 7 – Conditions for consent
  • Article 9 – Processing of special categories of personal data
  • Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
  • Article 13 – Information to be provided where personal data are collected from the data subject 1.
  • Article 14 – Information to be provided where personal data have not been obtained from the data subject
  • Article 15 – Right of access by the data subject
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure (‘right to be forgotten’)
  • Article 18 – Right to restriction of processing
  • Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object
  • Article 22 – Automated individual decision-making, including profiling
  • Article 44 – General principle for transfers
  • Article 45 – Transfers on the basis of an adequacy decision
  • Article 46 – Transfers subject to appropriate safeguards
  • Article 47 – Binding corporate rules
  • Article 48 – Transfers or disclosures not authorised by Union law
  • Article 49 – Derogations for specific situations
  • Article 58(1) – Powers
  • Article 58(2) – Powers

This contains just about everything in the GDPR related to the Principles of privacy itself and Rights of the data subject. In other words, PROCESS the data correctly.

The only link to data security in the whole of Article 83(5) is the reference to Article 5(1)(f) which states; “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

So you tell me, if you lose data, which fines do you think will apply? Seriously, tell me, I’ve not seen any guidance on it and there are many people out there who know this stuff a damned sight better than me.

I work in cybersecurity, I WISH it was 4% /€20M fines, but like I keep saying, data security does NOT equal privacy. The GDPR is about privacy, so which infringements should attract the biggest punishment?

In the end, if you think GDPR is about fines and penalties, you’ve completely missed the point. Don’t believe me? Then take it from Elizabeth Denham, the UK’s Information Commissioner herself, who wrote this excellent blog; GDPR – sorting the fact from the fiction.

And yes, I totally stole her featured image.

[If you liked this article, please share! Want more like it, subscribe!]