If a security vendor has ever told you that the GDPR is imposing fines of up to 4% of annual global revenue for data breaches, they are either:
- ignorant of the standard; and/or
- lying to you.
Being generous, they may not actually know they are lying, the General Data Protection Regulation (GDPR) isn’t exactly easy to decipher, but even a cursory review tells a rather obvious story. I will attempt to address the following assumptions in the course of this blog:
- The GDPR is >95% related to enforcing the RIGHT to privacy, not the LOSS of privacy through data breach;
- The maximum fines for ANY organisation are 2% of ‘annual turnover’ for even the most egregious loss of data through breach, not 4%; and
- Fines are entirely discretionary, and an appropriate security program will significantly reduce any fines levied.
Wait, there are 2 types of privacy!?
Ask a lawyer in the EU what privacy is and s/he’ll likely quote Article 12 of the Universal Declaration of Human Rights: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
From a GDPR perspective, this equates to two of its three fundamental aspects. Grossly simplified these are:
- Explicit consent; and
- Legitimacy of processing.
In other words, the vast majority of the GDPR is concerned with obtaining explicit consent for the personal data collected, and then ONLY using that data for legitimate purposes in-line with the consent received.
Even when GDPR refers to ‘security’, it is more concerned with these two fundamentals than it is with security of the data itself. That is what they mean by “security of processing“.
However, from a cybersecurity professional’s perspective – and the third fundamental aspect of the GDPR – privacy also involves loss. i.e. The data was stolen during a breach, or somehow manipulated towards nefarious ends. This is a very important part of the GDPR, Hell, it’s a very important part of being in business, but it should never be used to sell you something you don’t need.
Of the 778 numbered or lettered lines of text in the GDPR Articles section, there are only 26 that relate directly to data security (or 3.34%). These are contained within Articles 5, 25, 32, 33 and 34.
Per Article 83(4)(a) (a.k.a. ‘2% fines’) – “(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;”
While Article 5 is contained within Article 83(5)(a) (a.k.a. ‘4% fines’), all but one line refers to security of processing, not the security of the data.
So, if it can be assumed that if the maximum fine for ANY data breach, no matter how egregious, is 2% of the annual revenue from the previous year (in the case of an undertaking), that 2% is what the EU considers the maximum for a fine to qualify as “effective, proportionate and dissuasive” (per Article 83(1)). Therefore, a fine of €10,000,000 would be reserved for any organisation with revenue over €500,000,000 annually. Fines are never there to put you OUT of business!
It must follow that if 2% is the maximum, then fines will go down the less egregious is your offence. Everything you need to determine the level of ‘egregiousness’ is contained in the 11 lines of Article 83(2)(a) – (k). Words like ‘intentional’, ‘negligent’, ‘degree’, and ‘manner’ are bandied around, all of which can be answered by you.
In this spreadsheet, I have taken a stab at adding specific questions to each of the (a) – (k) line items. Answer them all truthfully and you’ll get an indication of what I consider to be an appropriate fine based on your annual revenue: GDPR Fine Worksheet. Caveat: I am NOT a lawyer, and this is based entirely on my own experience, not anything resembling known fact.
Finally, bear in mind that as per Article 58(2), there are many ‘corrective powers’ that a supervisory authority can resort to long before levying a fine, including simple warnings (Article 58(2)(a)). Fines should be considered as a worst case scenario in their own right, let alone the amount.
Appropriate security program?
There is no such thing as 100% security, so the more you can demonstrate that your security program is appropriate to the levels of risk, fines should be the least of your problems. As long as you have everything from senior leadership buy-in, to incident response, to disaster recovery and breach notification – you know, the basics! – it is not a foregone conclusion that fines will even be considered.
Go here for more on what a security program should look like: What is a Security Program?
In the UK, if you are an organisation that processes personal data and you were already a) complying with the Data Protection Act (DPA), and b) doing security properly, GDPR compliance would require only relatively minor adjustments. For those that weren’t, you have a lot of work to do now once the supervisory authority has the powers that GDPR bring to bear, and not much time to do it in (May 25, 2018).
That said, don’t do anything for compliance alone. Do it for the business, do it properly, and compliance will fall out the back end. So while it is reprehensible that security vendors are trying to exploit the GDPR for profit, if you fall for it it’s entirely your fault.
By the way, if you’re a business that is predominantly centered around the processing of personal data, the Article 58(2)(f) – “to impose a temporary or definitive limitation including a ban on processing;” can take you offline indefinitely. And yes, you can be fined on top of that.
I hate to say it, but don’t do anything until you’ve spoken to a lawyer.
[If you liked this article, please share! Want more like it, subscribe!]