Do Not Hire Companies Using GDPR Fines as a Sales Tactic

Taking a week’s break from my Step-by-Step series in order to have one final rant [I promise] about the use of GDPR fines/penalties in marketing material. Hopefully this third attempt will sort the problem out once and for all, I DO have 400 followers after all.

In my business, I am advising everyone who will listen to not do business with ANY organisation using fear, uncertainty and doubt (FUD) as a tactic to sell. If they were offering decent services they would not have to resort to such unprofessional and unethical practices.

If you or your organisation use these tactics then you are everything wrong with the industry and I can only hope you fail. I will using the hashtag #gdprcharlatans to draw attention to more egregious lies. But if you fall for these tactics then frankly you deserve it, because you have not done your homework.

For anyone watching the industry closely, it is clear that GDPR represents a fundamental shift in how data protection is going to be addressed globally. So while the fines/penalties may be a stick to help keep things moving in the right direction, they will NEVER be anything other than “effective, proportionate and dissuasive” (Article 83(1)). This is not a do-it-once compliance project for May 25th, this is slow and steady integration of a human right into the way we do business. Permanently. Fines are not the important part.

I hereby predict that you will never see an organisation go out of business because of a fine, it will be because they were stopped from processing for egregiously breaking the rules. In other words they will deserve it.

Here is my reasoning (borrowed yet again from previous blogs):

  1. The maximum fine for ANY infringement, no matter how egregious, is 4% of the annual revenue from the previous year (in the case of an undertaking), it can be assumed therefore that 4% is what the EU considers the maximum for any fine. Therefore, a fine of €20,000,000 (Art. 83(5)) would be reserved for any individual organisation with revenue over €500,000,000 annually. Yes, that’s 1/2 a BILLION.
  2. It must also follow that if 4% is the maximum, then fines will go down the less egregious the offence. Everything you need to determine the level of ‘egregiousness’ in an offence is contained in the 11 lines of Article 83(2)(a) – (k). With words like ‘intentional’, ‘negligent’, ‘degree’, and ‘manner’, it’s clear that there is a significant amount of information to be taken into account long before a fine is even considered. A fine, IF levied, will be carefully considered and FAIR.
    e.g. For Art. 83(2)(b) – “the intentional or negligent character of the infringement” consider the answers to the following questions:
    * To what degree are the lawful bases for processing for all business processes supported by legal review and approval?
    * Was senior management aware of the organisation’s risk exposure?
    * Did senior management ignore, or actively suppress recommendations to correct processing?
    Would you fine an organisation doing its very best and has established Board-level accountability the same as one that couldn’t care less?
  3. Fines simply don’t fix the cause of the breach, and supervisory authorities KNOW that. For any breach there will be remediation and potentially reparation required, often at significant cost. So unless a breach was truly intentional or negligent, why would a supervisory authority fine an organisation for a mistake as opposed to allowing them to use what money they have left to fix the underlying issues?

To try and put all of this into a more demonstrable format, I have developed a GDPR Fine Calculator designed to do the following:

  1. Determine the level of fine for which you are potentially liable – Art. 83(4) and (5) break down, by reference to 50 other Articles/sub-Articles, which infringements incur which penalties (2% and 4% respectively). Just answer the 50 questions on the ‘Breach Questionnaire’ tab to determine which applies to you (Note: If even 1 answer is 4%, that’s what applies);
  2. Estimate the fine for which you would be liable based on the ‘egregiousness’ of the offence – Whichever fine structure you fall under based on the results of the breach questionnaire, go fill it out. Enter your organisational status (undertaking or not) and your annual revenue (in €), then answer all the questions predicated on the 11 “conditions for imposing administrative fines“.

I think you will find that unless you are unbelievably crap at absolutely everything, your fines should not be anywhere near the infamous €20M mark.

This is not to say you shouldn’t worry about fines, because if you are in fact crap OR you’re still doing absolutely nothing towards GDPR compliance, and you are breached, you will deserve every fine you get.

Please Note: The fine calculator has absolutely nothing to do with any official ‘body’, known fact, or even direct experience, it’s based entirely on my opinion and hopefully a little common sense.

[If you liked this article, please share! Want more like it, subscribe!]

12 thoughts on “Do Not Hire Companies Using GDPR Fines as a Sales Tactic

  1. Amen. FUD is a sleazy sales tactic. Your position is emphasized directly by the U.K. Information Commissioner, Elizabeth Denham, in her post “GDPR – sorting the fact from the fiction”. In it, she says:

    “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.

    Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”

    and further:

    “Issuing fines has always been and will continue to be, a last resort.”

    “But we intend to use those powers proportionately and judiciously.

    And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.”

    This is coming directly from the presiding officer of the U.K. Information Commissioner’s Office, which reports to Parliment.

    The post is available at https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/

  2. Hi, I dont understand your first point – according to the GDPR either 20m OR 4% of your turnover can be levied whichever is greater, so if they want to you could be charged 20m *unless* the 4% was greater.

    How do you base your logic on 4% being the maximum?

    • If the most they are going to fine an undertaking is 4% of their annual revenue, why would they fine a single organisation more than that? For an very large undertaking (Alphabet for example) who have revenue over €100B, a €20M fine is not going to be appropriately dissuasive (0.02%). A €4 BILLION (4%) fine however…

      If an single organisation only has €20M in turnover, do you honestly see them being FINED €20M? For a fine to be “effective, proportionate and dissuasive”, €800K (4%) is far more reasonable. Still very painful, but it’s probably not going to destroy the company and result in mass lay-offs.

      Like I said in my blog, this is only my opinion, but I simply can’t imagine it being enforced any other way.

      • Yes, it might be *unlikely* that a company with a turnover of 20m would be fined 20m, but if – as you say – “they deserve it”, then that would be 100%. How then can you *also* be saying that “The maximum fine for ANY infringement, no matter how egregious, is 4% …”.

        You are not only contradicting yourself, but potentially also misleading people by your statement. And then basing your argument on it!

      • Not only have you completely missed the point, you clearly have an agenda. Why don’t you do some research on Elizabeth Denham’s comments on the subject and take a more educated stance.

  3. More enforcement options surfaced today in Elizabeth Denham’s speech at the Data Protection Practioner’s Conference. She said, “Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data.

    None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.”

    So if you’re one of those consultants or vendors that David wrote about and you still feel the threat of fines is the most convincing sales tactic, you may want to reconsider who you’re selling to. Really, do you want a client that you had to scare into complying with a law? The GDPR is not a hot new best practice or some guru’s advice that will make your business thrive. It’s the LAW.

    See the text of Elizabeth Denham’s speech at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/04/data-protection-practitioner-s-conference-2018/

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.