I would like to start off with a disclaimer. This article is meant to be a satire on all the fear mongering and negative press currently surrounding the EU General Data Protection Regulation (GDPR). I wanted to summarize all the negligence and missteps organizations must perform in order to achieve the maximum penalty.
The way I approached this was to jump right to Article 83, section 4 and 5 where two categories of penalties are detailed, each with a different maximum fine. This article also includes all the requirements that you must disobey in order to get fined. I would like to go through each and give you some idea what must be done not to comply.
Let’s start with the section 4 with fines ranging between 10 Million EUR and 2% of yearly global turnover
Article 8: Fully disregard child consent from the age of 16 or below.
Article 11: Keep all bits and pieces of data, especially the ones you no longer need.
Article 25: Maximize your data collection, collect everything, even data you don’t particularly need for certain processes and make sure to keep all your data in an unsecured environment open for everyone to access, on top of that make sure all your data is decrypted.
Article 26: During joint processes between other data controllers, make sure not to disclose responsibilities, cooperate as little as possible and above all else make sure all your processes are as non-transparent and hard to trace as possible.
Article 27: If you are not in the EU, yet your target customer base is, by all means do not appoint a representative in the EU!
Article 28: If you are a data processor, make sure to never ask for the controller’s permission. Do not make any documentation on processes performed. Also, never delete any of the processed data, not even if request by the controller.
Article 29: If you are processing data under a controller’s authority, don’t just process the data you were instructed to but whatever data you want, go nuts!
Article 30: Make sure not to have any records of processing activities. If you do, definitely do not include the:
Article 31: Whatever you do, do not cooperate with the Supervisory Authority! Never respond to any requests and most definitely do not share any information. Just consider it as any annoyance.
Article 32: Never encrypt or pseudonymize personal data. Confidentiality, integrity and availability are only there for show. The less you care about your customers’ safety or civil rights the better.
Article 33 and 34: Keep all data breaches a secret. If nobody knows about it, there is nothing to worry about.
In case you do file a breach report:
Article 35: Why bother with Data Protection Impact Assessments? Same goes with risk assessments. Have blind faith that all your processes and procedures are secured. There’s no need for an actual evaluation or fact checking.
Article 36: Never seek the advice of the Supervisory Authority. They are only there to fine you, there is no reason to think they would help you.
Article 37, 38 and 39: Do you really need that Data Protection Office? Buy not enlisting one, you will be free from all the internal pressure that you should change something to comply with the regulation.
Article 41, 42 and 43: Make as much trouble to the Supervisory Authority as possible. Halt their activities in every possible way and if your GDPR certification is revoked, be sure to continue to handling and processing data as usual.
Just follow these easy steps and you are right on course to receive a 2% penalty. But I promised that we will aim for the highest possible number, so let’s take a look at what should be done to go for the big money.
The section 5 includes penalties ranging between 20 Million EUR and 4% of yearly global turnover
Article 5: Disregard all personal data processing principles.
Article 6: Don’t even read this article where it is justified that your organization performs data processing in order guarantee business continuity. If you got this far it is all about getting bankrupt by now.
Article 7: Make sure never asking for consent from your data subjects or clarify to them what will you do with their data. There is also no backing out! Once they agreed you should not allow them to change their mind.
Article 9: When I said collect every bit of data I wasn’t joking. Things like ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, a person’s sex life or sexual orientation is all there for the taking. Be sure, even if you are allowed to collect such information only use it for illegitimacy purposes.
Article 12: At this point we already touched on a number of topics enlisted here. Just make sure you remain completely non-transparent towards your clients, do not share anything you do with their data and make sure everything you use the data for go against their civil rights.
Article 22: Fully automate all your processes leave even the evaluations up to machines with no human supervision. If any of your clients disagree with the results don’t bother to review the evidence in case an error.
Article 44: If you transfer personal data to a third party situated outside the EU, care as little as possible compliance with GDPR.
Article 49: Do not ask for the consent of a data subject before transferring their data and most definitely transfer personal data only to organizations who disregard all GDPR requirements and principles.
Just follow these easy steps and you are guaranteed to achieve a maximum fine in no time.
The reason I made this list is to show the extent to which organizations must fail to comply with the GDPR to get such large fines.
The GDPR has become somewhat of a boogieman rather than a rational step towards modern personal data handling.
I also wish to add that, like with all regulations on the market, fines are only there as a last result. There will be a number of preceding notifications and audits before any organization faces any actual fines.
Organizations must realize that they are only required to fine-tune currently applied practices and procedures and if necessary fill in the gaps they didn’t considered as crucial till now.
To see how Balabit can help with meeting GDPR requirements, please read our white paper on the subject.
With 2017 now done and dusted, it’s time to think ...
Like many years before it, 2017 has seen a large ...
When a child goes near something hot, a parent will ...
“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”
– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser