I keep seeing the figure €20 Million, or 4% (whichever is the greater) of the previous years gross global turnover being bandied about in regards to penalties for not being GDPR compliant and I must admit, on occasion I have been guilty of using this in a lazy headline way when discussing GDPR.
Sure, it is a great attention grabber, but I believe that it is being used in a disingenuous manner a lot of the time. Yes, these are the maximums that could be applied, but it is important (if not incumbent) upon professionals in this space to stress that these maximum penalties would only apply in the most serious of circumstances.
The GDPR states that penalties will be “effective, proportionate and dissuasive’
What this really means is that if you have not taken a blind bit of notice of the fact that the GDPR is coming and you have a data breach through lack of technical and organisational controls, then you may get hammered.
For example, if an organisation has a breach where a customer database is released into the wild, is unencrypted and there have been no processes in place to prevent, or mitigate against this and you have no visibility into how it happened, then you are likely to receive a very big fine.
However, if the same thing happens, but the data has been encrypted, the breach is flagged by an internal employee who has been trained to look out for such things, there is a process in place to contact the ICO and assess the scope of the breach and what needs to be done. Then that is a whole other ball game and any penalties are likely to be along the lines of a reprimand, if that.
The ICO takes into account the gravity, nature, scope, duration and type of infringement, but ultimately do not want to gather fines, rather they want to increase and improve organisational and technical security measures around personal data storage and processing.
Also, any mitigating actions taken by the organisation to limit any potential damage to their customers, along with the security measures taken to protect their data is taken into account.
The ICO will also take into account any previous breaches, or issues an organisation has had (think Talk Talk here) and whether they have had to take any action before. They will look at the categories of data breached and whether the organisation reported the breach themselves, as well as the level of cooperation they are given. They will look at the types of training an organisation has given its staff and whether the organisation has any recognised accreditations, or certifications such as ISO27001, or ITIL. All of these factors will be taken into account as potential mitigating factors when deciding on penalties.
The bottom line here is Do Not Panic.
- Have you taken advice on where you currently stand in relation to the GDPR?
- Have you got a plan and are executing on it?
If you answered no to either of these questions then Assuredata can help.