I have made no secret of my distain (bordering on disgust) for anyone using the GDPR’s ‘administrative fines’ to further their own ends. Whether the ends are selling products, services, or column inches, trying to scare organisations into parting with their hard-earned cash is totally unacceptable and I only hope that most of them have failed.
That said, it is clear from Google (€50M), British Airways (€200+M), and Marriott (€110+M) that enormous fines are now a reality for organisations who egregiously break the law. And make no mistake, they ARE breaking the law. A law that enforces one of OUR fundamental human right.
But fining is STILL about LEVEL of egregiousness, the supervisory authorities are not just going to hand these fines out to everyone. At ALL times the fines will be “effective, proportionate and dissuasive” (Art. 83(1)), and when your revenues are in the billions, these fines are just that for the more serious cases. They are also less than the maximum of 2% permissible for data breaches.
As an aside, I am actually very surprised by the BA fine, as I basically came to their defence in September of last year when every headline was “BA faces record £500M fine for data breach!“. But clearly the investigation showed that BA had in fact been egregiously negligent in the lead-up to the breach. Because that’s what it took for the proposed fine to be as large as it is.
If my ‘in-no-way-based-on-fact’ fine calculator is in even partially accurate, you can assume the following:
- the “nature, gravity and duration of the infringement” was on the ‘bad’ side (Article 83(2)(a));
- the breach was deemed “intentional or negligent” (Article 83(2)(b));
- little action was taken to “mitigate the damage suffered by data subjects” (Article 83(2)(b));
…and so on down the list all the way to Article 83(2)(k)
The BA fine represents ~1.4% of global revenue, so this is wayyyyy up there on the egregiousness scale.
So, for me, the takeaways from these fines are that:
- the #GDPRCharlatans still harping on about 4% fines for data breaches in order to drive business are every bit as wrong as they were 3 years ago;
- the big fines are real though, and if you’ve still done nothing to achieve compliance the ‘egregiousness’ of your negligence (nothing else to call it now) will very much count against you;
- from Apr. 2016 – Apr. 2018 was, despite the inaccuracy of the name, a “grace period” for you to get your act together; May 2018 – Apr. 2019 was a warm-up for the supervisory authorities; and from this point forward is when the real enforcement begins;
- only big fines make the headlines, but hundreds of other fines have been levied across the EU that have an equal impact on the recipients. e.g. a 1.4% fine for my business would be about €5,000, very painful but not designed to put me out of business;
- the bigger your business, the higher your profile, and the better chance there is of people complaining about you. But ALL complaints will be heard eventually. If you’ve done nothing to receive those complaints directly (DSARs for example), that is an offence in and of itself;
- for those of you who hoped May 25th 2018 was some kind of deadline that you dodged, you are in for a very rude awakening;
- people a STILL not even reading the regulation.
As I said in GDPR: Advice for Every Small Business, EVERY business should at least have done the following already:
- Paid your Data Protection Fee;
- Determined if you need a DPO;
- Determined if you need to maintain a Record of Processing;
- Distributed Data Processing Agreements (if applicable); and
Of course you should have also performed a comprehensive data discovery and business process mapping, determined all appropriate technical and organisational security measures, AND assigned each of your business processes a lawful basis for processing, but let’s not get carried away.
The longer you leave this stuff, the more egregious any offence your organisation commits will be. We are still very near the beginning of GDPR enforcement, and eventually you will have to demonstrate your compliance to someone.
Make sure it’s not a supervisory authority, they will have little sympathy for you.
[If you liked this article, please share! Want more like it, subscribe!]