GDPR: When will your business actually get fined?

Published on 13 July 2017

There’s a lot of GDPR content, but not a lot of clarity. Let’s cut through the noise.


GDPR then. You’ve probably read all about it, without actually reading anything about it at all.

Our industry’s hot topic is a constant fixture in corporate and media content. But with people unsure of what to expect, most articles focus on the uncertainty, rather than the detail. Meaning that business leaders like you have to read through a lot of hyperbole to get to even the tiniest morsel of truth.

One of the big drawbacks of this mass of non-specific GDPR content is that it’s all too easy to get the impression that an organization suffering a data breach will automatically get fined. As though the GDPR overlords have Sauron-like sight over every business on the planet.

Just think of those headlines about Tesco and the banking sector. Articles which talk about projected fines as though they’re fact, without ever asking if a data breach necessarily means a fine (clue: it doesn’t).

As a business leader or exec, you don’t need to know about the technical aspects of the GDPR legislation. Instead you need to know about what your business needs to do to avoid fines. So we’ve taken a look.

Look for the truth in the numbers

One of the biggest misconceptions about GDPR is that fines will cost 4% of your global annual turnover. But the actual documentation says something else.

Article 83 (General Conditions For Imposing Administrative Fines) specifies that there are two categories of fines, with the section under which data breaches falls showing the maximum penalty at 2% (importantly, Article 83/4 details the requirements that need to be met to avoid it). The much talked about 4% (or €20 million) fine meanwhile sits in another category altogether (the requirements for that are in article 83/5).

The lesson here is to ignore the hype around business-crippling fines and read the actual legislation instead.

Think about times and deadlines

Part of the reason exaggerated and unfounded comment on GDPR gets such a big audience is the fear of automatic fines for suffering a breach. But, as with the 4% line, it’s just not as simple as that.

The truth can be found in Article 33 (Notification Of A Personal Data Breach To the Supervisory Authority), which states that in the event of a breach, an organization will have 72 hours to report it to the Supervisory Authority. Importantly, that deadline is from the moment of discovery. So even if a breach occurred a few weeks ago, your business is not automatically at risk of a fine.

The natural question that arises is, ‘what if my business can’t provide that full report within the 72-hour deadline?’

Fortunately GDPR is a bit more lenient than some would have you believe – making it clear that if an organization can’t provide a full report, it should at least start by offering all known details, then send more as they become available.

What to report – and who to report it to

Of course, telling the authorities about a data breach is not the only thing you should be worried about. Under the GDPR rules, you’re also now obliged to tell those affected by it.

Yes, this has the potential to disrupt profitability and reputation. But a closer look at the GDPR itself reveals an important subtlety in the legislation, with Article 34 stating that data subjects only need to be informed of a breach if the stolen data is in an unencrypted, readable format that could endanger their rights and freedoms.

So there’s no requirement for you to shout about a breach if there’s no likely impact on your data subjects.

Focus on what matters

The big problem with GDPR articles is that there’s much more heat than light. Because of that, many C-suite execs have been resorting to guesswork or panic about what might happen next year.

Hopefully this blog has cleared up a few things. But if you still want more, get your IT team to focus on these steps to guarantee compliance:

  • Encryption and pseudonymization for all collected and processed data
  • Define the extent to which the organization is responsible for the safekeeping of personal data
  • Apply the data minimization principle, so only the necessary minimum amount of data is collected
  • Document and justify all applied policies and procedures
  • Implement access control, so only authorized users can access and work with personal data
  • Offer transparency on what’s happening to subjects’ data and ask for consent before doing anything with it
  • Develop the ability to transfer and erase data

For more information on the impact of GDPR: download our whitepaper: GDPR and its implication for your business.


by István Molnár

István is the Compliance expert at Balabit. With extended knowledge and understanding of international standards, regulations, and frameworks. He acts as an adviser in compliance-related sales projects and as a content specialist in the Product Marketing team.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser