Even as a data protection novice, the GDPR makes sense to me. I get it. I may be partly wrong in some assumptions, but I am comfortable enough in my understanding of the intent of the Recitals and Articles to ask the right people the right questions.
All, that is, with the exception of Recital 80 / Article 27 – Representatives.
I understand the words, and think I even understand the intent, but I cannot even begin to fathom how it’s actually going to work in the real world. This blog is therefore aimed at those who do. I need your guidance please.
My English translation (i.e. not legalese) of Recital 80 is:
Any controller or processor not established in EU, but who:
1. offers goods or services (regardless of payment acceptance) to data subject in the EU; or
2. monitors the behaviour of data subjects within the boundaries of the EU.
…must designate a representative to act on their behalf who may be addressed by any supervisory authority. Unless the processing:
- is occasional;
- does not include processing on a large scale of special categories of personal data;
- does not include processing of data relating to criminal convictions and offences;
- is assessed as low risk; or
- is performed by a public authority or body
Taking a week’s break from my Step-by-Step series in order to have one final rant [I promise] about the use of GDPR fines/penalties in marketing material. Hopefully this third attempt will sort the problem out once and for all, I DO have 400 followers after all.
In my business, I am advising everyone who will listen to not do business with ANY organisation using fear, uncertainty and doubt (FUD) as a tactic to sell. If they were offering decent services they would not have to resort to such unprofessional and unethical practices.
If you or your organisation use these tactics then you are everything wrong with the industry and I can only hope you fail. I will using the hashtag #gdprcharlatans to draw attention to more egregious lies. But if you fall for these tactics then frankly you deserve it, because you have not done your homework.
For anyone watching the industry closely, it is clear that GDPR represents a fundamental shift in how data protection is going to be addressed globally. So while the fines/penalties may be a stick to help keep things moving in the right direction, they will NEVER be anything other than “effective, proportionate and dissuasive” (Article 83(1)). This is not a do-it-once compliance project for May 25th, this is slow and steady integration of a human right into the way we do business. Permanently. Fines are not the important part.
I hereby predict that you will never see an organisation go out of business because of a fine, it will be because they were stopped from processing for egregiously breaking the rules. In other words they will deserve it.
Here is my reasoning (borrowed yet again from previous blogs):
- The maximum fine for ANY infringement, no matter how egregious, is 4% of the annual revenue from the previous year (in the case of an undertaking), it can be assumed therefore that 4% is what the EU considers the maximum for any fine. Therefore, a fine of €20,000,000 (Art. 83(5)) would be reserved for any individual organisation with revenue over €500,000,000 annually. Yes, that’s 1/2 a BILLION.
- It must also follow that if 4% is the maximum, then fines will go down the less egregious the offence. Everything you need to determine the level of ‘egregiousness’ in an offence is contained in the 11 lines of Article 83(2)(a) – (k). With words like ‘intentional’, ‘negligent’, ‘degree’, and ‘manner’, it’s clear that there is a significant amount of information to be taken into account long before a fine is even considered. A fine, IF levied, will be carefully considered and FAIR.
e.g. For Art. 83(2)(b) – “the intentional or negligent character of the infringement” consider the answers to the following questions:
* To what degree are the lawful bases for processing for all business processes supported by legal review and approval?
* Was senior management aware of the organisation’s risk exposure?
* Did senior management ignore, or actively suppress recommendations to correct processing?
Would you fine an organisation doing its very best and has established Board-level accountability the same as one that couldn’t care less?
- Fines simply don’t fix the cause of the breach, and supervisory authorities KNOW that. For any breach there will be remediation and potentially reparation required, often at significant cost. So unless a breach was truly intentional or negligent, why would a supervisory authority fine an organisation for a mistake as opposed to allowing them to use what money they have left to fix the underlying issues?
To try and put all of this into a more demonstrable format, I have developed a GDPR Fine Calculator designed to do the following:
- Determine the level of fine for which you are potentially liable – Art. 83(4) and (5) break down, by reference to 50 other Articles/sub-Articles, which infringements incur which penalties (2% and 4% respectively). Just answer the 50 questions on the ‘Breach Questionnaire’ tab to determine which applies to you (Note: If even 1 answer is 4%, that’s what applies);
- Estimate the fine for which you would be liable based on the ‘egregiousness’ of the offence – Whichever fine structure you fall under based on the results of the breach questionnaire, go fill it out. Enter your organisational status (undertaking or not) and your annual revenue (in €), then answer all the questions predicated on the 11 “conditions for imposing administrative fines“.
I think you will find that unless you are unbelievably crap at absolutely everything, your fines should not be anywhere near the infamous €20M mark.
This is not to say you shouldn’t worry about fines, because if you are in fact crap OR you’re still doing absolutely nothing towards GDPR compliance, and you are breached, you will deserve every fine you get.
Please Note: The fine calculator has absolutely nothing to do with any official ‘body’, known fact, or even direct experience, it’s based entirely on my opinion and hopefully a little common sense.
[If you liked this article, please share! Want more like it, subscribe!]
It seems there are only two ways to sell GDPR products and services:
- Tell everyone they are going to get fined €20M or 4% of their annual revenue; and
- Tell everyone that they only have until May 25th to get compliant or they’re in big trouble
These are both utter nonsense.
While the monster fines are a theoretical possibility (per Article 83), I would hope by that you know they will be reserved for the VERY worst offenders. If you don’t, read this from the UK’s Information Commissioner herself; GDPR – sorting the fact from the fiction. With my favourite quote being:
“Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”
And not one of these 16 (0.09% of the total!) was anywhere near the maximum of £500K, so forget the damned fines!! Unless of course you work for a bunch of total scumbags like Keurboom, then I hope you get completely reamed.
Anyway, so here we are, less than 3 months away from May 25th, and the ‘deadline’ for compliance is the most prevalent scare tactic!
“Get compliant before May 25th or else!!” “Deadline fast approaching!!” “Trust me, I’m a certified practitioner!!”
The thing is, “or else” what, exactly? What do you think is going to happen on May 25th? That your supervisory authority is going to be banging on your door with cries of “Article 30!! Show us your records!!“? Do you expect to receive hundreds of requests for access from people who know even less about GDPR than almost anyone reading this blog? Do you think you’ll suddenly be the subject of a class action suit?
Do you think your supervisory authority even knows who you ARE at this point? [No offence]
I’ll tell you what’s going to happen on May 25th …not a bloody thing different. It will be business as usual.
However, what WILL happen from May ONWARDS is a gradual increase in how the GDPR is enforced in each member state. Guidance from supervisory authorities will increase in-line with the real-world issues they face; certification mechanisms will be released forcing all organisations to at least review and consider them; the general public will gradually come to expect the heightened protection mechanisms and vilify those organisation who are not up to speed and so on.
To put this another way; Data Protection law is not going away and cannot be ignored. By anyone. In fact, in light of things like AI/ML, Big Data and the Internet of Things, data protection is only going to become more embedded in everything we do. It has to, and you need to keep up with it.
So the more time that passes the fewer excuses you will have for doing nothing, regardless of the size / type / industry vertical in which your business operates. In the UK for example you are already 20 years too late to be proactive. The DPA has been out since 1998 and compliance to it would have covered the lion’s share of the GDPR. Which itself has been out for almost 2 year.
While I can sympathise with organisations fumbling around but doing their best, I have little sympathy for organisations who have done nothing. It’s these folks who should be the most concerned, not for May 25th, but every day after it.
Not one organisation out there is incapable of doing these 6 things before the ‘deadline’. Not to completion perhaps, but a good chunk:
- Find out where all your personal data is; – [even crappy questionnaires and interviews will get you most of the way there]
- Map that data to the business processes that created it; – [HR, Sales, Marketing and so on…]
- Agree on which business processes should continue as they are, which should change, and which should stop altogether;
- Get rid of all instances of personal data that do not support the agreed business processes;
- Obtain appropriate guidance on the lawful basis(es) for processing what’s left; and
- Commit, in writing, at the Board level, to achieving full compliance
While this is nowhere near a full demonstration of compliance, you have done 3 things that the ICO have every right to expect. You have:
- reduced your risk by minimising your threat exposure – you can’t lose or misuse what you don’t have;
- done your best to ensure that you are supporting the data subject’s rights – the whole point of this exercise; and
- MADE A BLOODY START!
I don’t care if you only achieve full compliance 5 years from now, and it’s unlikely the supervisory authorities will, if, and ONLY if:
- Your commitment is real;
- You have a plan; and
- You don’t get reported or breached
It’s up to you to do ENOUGH now to make sure 3. doesn’t happen, work on the rest when you can. Just make sure you can justify your timelines.
[If you liked this article, please share! Want more like it, subscribe!]
[Ed – It’s good to see that the message is getting out there, even across the pond; GDPR – Five Myths Debunked]
Is there anyone out there who still believes that Brexit will negate UK businesses from having to comply with the GDPR? Well, as long as there are also Flat Earthers and Young Earth Creationists I’d say that there’s enough ignorance out there to ensure that there are plenty of them.
The Brexit vote debacle itself showed just how pervasive ignorance is in the UK for example, as evidenced by the number of people who Googled “What is the EU?” the day after the vote. Stupidity I can forgive, it’s not a choice, ignorance is. Or as Harlan Ellison puts it so perfectly:
“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”
And when a weapons-grade plum (thank you @sueperkins) like Donald Trump is in favour of a decision, you know you’ve f&%$ed up.
But enough judgement, the answer to whether or not UK businesses will need to comply with the GDPR is written in the Regulation itself. Anyone who has actually read it probably has the words “third country” floating around in their heads right about now. Why? Because post-Brexit that’s exactly what the UK will be to the EU; a third country.
Every country in the EU has signed up to adopt the GDPR into their individual national laws in order to enforce it in the exact same way. From the creation of supervisory authorities with identical tasks and powers, to approved codes of conduct, to the imposition of penalties, every EU country ‘trusts’ every other EU country by default. Further, if for any reason two countries disagree on something, the Board can step in and sort it out per Articles 63 (Consistency mechanism) and 65 (Dispute resolution by the Board).
None of this will apply to third countries, who will need to demonstrate what the GDPR calls an “adequate level of data protection” in order to enjoy the freedoms of data processing and movement that EU countries will receive automatically. This is spelled out very clearly in Recital 103:
The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.
In other words, the Commission can, as long as the third country has met certain criteria, give blanket approval for that country to do business as usual within the EU.
Simple logic therefore dictates, that the criteria must fully comply with the GDPR, and every business must meet the GDPR baselines in their entirety.
The criteria are broken out in Article 45(2) [edited for length]:
When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral [edited]
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject [edited]
(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
In other words, as long as ALL of the laws, judicial systems, supervisory authorities, contractual obligations etc. are at or above the levels mandated by the GDPR, that third country is good to go.
Here in the UK this will hopefully not be an issue. The ICO is the supervisory authority and the upcoming amendments to the Data Protection Act should more than cover the GDPR adequacy requirement. So as long as UK businesses comply fully with the DPA, they should not have to provide any further evidence of compliance to EU countries.
However, there are many who believe that the because of things like the Investigatory Powers Act 2016 (a.k.a. Snooper’s Charter), that the UK is at serious risk of not qualifying for the adequacy decision. We’ll have to see how it goes.
Bottom line here is that if you are sitting on your arse waiting for the ICO to tell you what to do, you are setting yourself for some very unnecessary pain. The initial preparations for GDPR/DPA are as simple as they are obvious, and well within the reach of every organisation out there. Whether or not your country receives an adequacy decision, your organisation will need to comply. Nothing has changed.
You do not need to understand your legal basis for processing in order to perform either a data discovery exercise or a business process mapping, both of which you should be doing already. I’d get on with it if I were you.
It’s not doing the wrong thing unintentionally that will piss the supervisory authorities off the most, it’s doing nothing at all.
[If you liked this article, please share! Want more like it, subscribe!]