There’s a lot of uncertainty surrounding the GDPR so it is no surprise that some hyperbole has crept in. I’ve seen my fair share of presentations and read countless articles. It would be easy to get the impression that organizations suffering a data breach will automatically get fined once GDPR goes live next year (May 25, 2018).
Articles with attention grabbing headlines such as Tesco Bank hack: Tesco would face £1.9bn fine under GDPR or Report predicts banks to get €4.7bn fines in first 3 years under GDPR seem to pop up every day.
Many articles describe the projections as if they were facts, stating if the the GDPR were already in force organizations would face massive fines if a breach occurs. But does a data breach necessarily mean a fine will be imposed? If we examine the actual GDPR text, it seems we see a different story.
The numbers don’t add up
Article 83 (General conditions for imposing administrative fines) specifies two categories of fines. One common misconception is that data breaches could cost you 4% of total global annual turnover. The section of Article 83 which data breaches fall under has a maximum penalty of 2%.
In article 83/4, the GDPR lists which requirements need to be met to avoid a maximum fine of 10M EUR or 2% of total annual worldwide turnover. There is the second category, 83/5 covering all requirements which if not met will result in 20M EUR to 4% of total worldwide annual turnover.
Getting fined for suffering a breach
This is absolutely not true, yet I’ve already heard it a number of times. The only language in the GDPR about data breaches can be found in Article 33 (Notification of a personal data breach to the supervisory authority).
The article describes that in the event of a recognized data breach, organizations will have 72 hours to issue a breach report to the Supervisory Authority, meaning that the breach may have occurred long in the past but was not discovered so the deadline is set from the moment of discovery.
Getting fined if not meeting the 72-hour deadline
Some organizations fear not being able to provide a full report on the breach. It is understandable as a breach investigation may consume much more time than what the GDPR has specified for notification. Although it is stated in Article 33 that if an organization is unable to provide a full report it should at least start to provide all known details to the Supervisory Authority (SA) in several phases as they uncover more details.
The 72 hours only refers to notifying the SA that a breach has occurred and the organization is taking all necessary steps in order to investigate. It does not refer to a full report of the breach.
Fear of informing data subjects
One of the main concerns enterprises have in reporting a breach is lost revenue from damage to their reputation. If organizations are not bound by any regulations, they may under-report breaches. Once the GDPR is in force, this will no longer be an option.
In reality, there are a few scenarios described in Article 34 that will allow organizations to keep such events out of the public.
Data subjects only need to be informed of the breach if the stolen data may endanger their rights and freedoms and the data that is stolen is in an unencrypted, readable format.
Focus on what really matters
My point is that there has been much more heat than light in many articles. It would be better to focus on concrete steps to guarantee compliance. Such as:
- Use of proper encryption and pseudonymization on all collected and processed data,
- Application of the data minimization principle so that only the necessary minimum amount of data is collected, stored and processed,
- Access control, so that only authorized users can access and operate with personal data,
- Transparency on what is happening to the subject’s data and requesting consent before performing any actions with the subject’s data,
- Develop the ability to transfer and erase personal data,
- Define to what extent is your organization is responsible for the safekeeping of personal data,
- Document and justify all applied policies and procedures, why are you performing a certain task as you do.
The GDPR has already impacted the way enterprises conduct their business and more changes are on the way but to implement sensible security policies we all need to keep calm and focus on the facts.