I would like to start off with a disclaimer. This article is meant to be a satire on all the fear mongering and negative press currently surrounding the EU General Data Protection Regulation (GDPR). I wanted to summarize all the negligence and missteps organizations must perform in order to achieve the maximum penalty.
The way I approached this was to jump right to Article 83, section 4 and 5 where two categories of penalties are detailed, each with a different maximum fine. This article also includes all the requirements that you must disobey in order to get fined. I would like to go through each and give you some idea what must be done not to comply.
Let’s start with the section 4 with fines ranging between 10 Million EUR and 2% of yearly global turnover
Article 8: Fully disregard child consent from the age of 16 or below.
Article 11: Keep all bits and pieces of data, especially the ones you no longer need.
Article 25: Maximize your data collection, collect everything, even data you don’t particularly need for certain processes and make sure to keep all your data in an unsecured environment open for everyone to access, on top of that make sure all your data is decrypted.
Article 26: During joint processes between other data controllers, make sure not to disclose responsibilities, cooperate as little as possible and above all else make sure all your processes are as non-transparent and hard to trace as possible.
Article 27: If you are not in the EU, yet your target customer base is, by all means do not appoint a representative in the EU!
Article 28: If you are a data processor, make sure to never ask for the controller’s permission. Do not make any documentation on processes performed. Also, never delete any of the processed data, not even if request by the controller.
Article 29: If you are processing data under a controller’s authority, don’t just process the data you were instructed to but whatever data you want, go nuts!
Article 30: Make sure not to have any records of processing activities. If you do, definitely do not include the:
- Name and contact details of the controller,
- The purposes of the processing,
- Categories of data subjects,
- Recipients to whom the personal data have been or will be disclosed,
- Transfers of personal data to a third country,
- Time limits for erasure,
- General description of the technical and organizational security measures
Article 31: Whatever you do, do not cooperate with the Supervisory Authority! Never respond to any requests and most definitely do not share any information. Just consider it as any annoyance.
Article 32: Never encrypt or pseudonymize personal data. Confidentiality, integrity and availability are only there for show. The less you care about your customers’ safety or civil rights the better.
Article 33 and 34: Keep all data breaches a secret. If nobody knows about it, there is nothing to worry about.
In case you do file a breach report:
- Most definitely do not consider the fact that you could have prevented going public if you could have rendered the stolen data useless by applying strong encryption in the first place.
- Make sure to blame the lack of time for not being able to issue a report within 72 hours. Even though you could have provided it piece by piece.
Article 35: Why bother with Data Protection Impact Assessments? Same goes with risk assessments. Have blind faith that all your processes and procedures are secured. There’s no need for an actual evaluation or fact checking.
Article 36: Never seek the advice of the Supervisory Authority. They are only there to fine you, there is no reason to think they would help you.
Article 37, 38 and 39: Do you really need that Data Protection Office? Buy not enlisting one, you will be free from all the internal pressure that you should change something to comply with the regulation.
Article 41, 42 and 43: Make as much trouble to the Supervisory Authority as possible. Halt their activities in every possible way and if your GDPR certification is revoked, be sure to continue to handling and processing data as usual.
Just follow these easy steps and you are right on course to receive a 2% penalty. But I promised that we will aim for the highest possible number, so let’s take a look at what should be done to go for the big money.
The section 5 includes penalties ranging between 20 Million EUR and 4% of yearly global turnover
Article 5: Disregard all personal data processing principles.
- Lawfulness, fairness and transparency are only naive desires, that no organization should pursue.
- Why limit your purposes and restrict data collection? Just do whatever you want.
- Why bother being accurate with your data? Do not perform any updates on collected data, keep it as is.
- Make sure to keep everything for eternity, even the data you no longer need or no longer serves a purpose.
- Make as little effort as possible to guarantee data integrity and confidentiality. No one likes to go the extra mile to secure business critical assets.
- Always avoid blame and never be accountable for your errors. It’s not as if you could justify all your actions by documenting all your processes and procedures.
Article 6: Don’t even read this article where it is justified that your organization performs data processing in order guarantee business continuity. If you got this far it is all about getting bankrupt by now.
Article 7: Make sure never asking for consent from your data subjects or clarify to them what will you do with their data. There is also no backing out! Once they agreed you should not allow them to change their mind.
Article 9: When I said collect every bit of data I wasn’t joking. Things like ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, a person’s sex life or sexual orientation is all there for the taking. Be sure, even if you are allowed to collect such information only use it for illegitimacy purposes.
Article 12: At this point we already touched on a number of topics enlisted here. Just make sure you remain completely non-transparent towards your clients, do not share anything you do with their data and make sure everything you use the data for go against their civil rights.
Article 22: Fully automate all your processes leave even the evaluations up to machines with no human supervision. If any of your clients disagree with the results don’t bother to review the evidence in case an error.
Article 44: If you transfer personal data to a third party situated outside the EU, care as little as possible compliance with GDPR.
Article 49: Do not ask for the consent of a data subject before transferring their data and most definitely transfer personal data only to organizations who disregard all GDPR requirements and principles.
Just follow these easy steps and you are guaranteed to achieve a maximum fine in no time.
With all jokes aside
The reason I made this list is to show the extent to which organizations must fail to comply with the GDPR to get such large fines.
The GDPR has become somewhat of a boogieman rather than a rational step towards modern personal data handling.
I also wish to add that, like with all regulations on the market, fines are only there as a last result. There will be a number of preceding notifications and audits before any organization faces any actual fines.
Organizations must realize that they are only required to fine-tune currently applied practices and procedures and if necessary fill in the gaps they didn’t considered as crucial till now.
To see how Balabit can help with meeting GDPR requirements, please read our white paper on the subject.