In this episode of the GDPR mini-webinar series Amar Singh and Chris Payne discuss the topic of fines and penalties.
Download the free accompanying study sheet here.
Amar: Welcome to Cyber Management Alliance’s GDPR mini webinar series. This is episode five and we are going to discuss fines and penalties. Something I am sure everybody is very interested in and there is quite a lot of confusion out there, and we are hoping to clarify that in this particular episode. If you are coming in first time and this is the first one you are listening to, there are four previous episodes that you can look at. If you can go to BrightTalk.com and search for Cyber Management Alliance, or search for GDPR mini webinar series, you should be able to find that or you could go to cm-alliance.com. I am Amar Singh and I'm really happy to be joined again today by Chris Payne, Managing Director of Advanced Cyber Solutions. Chris, welcome.
Chris: Thank you, Amar.
Amar: Chris, let's clarify fines and penalties.
Chris: Yes, let's do that. So, I'm sure everybody has seen one of these headlines somewhere, social media or even just the regular media; some kind of breach takes place, public breech usually, and then the next headline would be under the GDPR this organisation would have been fined X amount. So, I think this is something that normally irritates, upsets me a little bit because I am one of these people that reverse engineers this figure here, to figure out that if they had done it correctly and most of them, they don’t. So, we’ll clarify how to actually come to the conclusion of what the fines will be in this episode.
Amar: Excellent! And trust me, there it is in me too because some people are putting up ridiculous figures without knowing the facts. So, there are some ridiculous figures in there, folks, but you need to know the facts. So, let's go though them now. Two tiered administrative fines, Chris, what's that about?
Chris: So, most people are quoting on the higher tier so the 20 million Euro or 4% mark but actually, there is two tiers administrative fine under the GDPR and they are levied for different reasons, which will come to in a couple of slides time. But the key thing to remember is there are two different types of fines; one is 10 million Euros and 2% and one is 20 million Euros and 4%. Now, really critical is the rest of the sentence here. Firstly it's up to; it’s not a blanket figure. It's calculated and that is the ceiling number that you can achieve; either 10 million or 2% of global revenue. So, that's your global revenue. If you are fined in the UK, it takes into account your entire organisation globally and its revenue. It's based on the highest of the two figures, so 10 million or 2%, it’s not both, and it's also calculated on the previous fiscal year; and being really picky, most of the headlines out there actually calculate on the existing current fiscal year; it’s based on the previous fiscal year.
Amar: Excellent! So, lets breakdown the two-tiered model, two tiered up to the 10 million one, let's discuss that; why and how it's levied.
Chris: Yes. So, this is the smaller of the two tiers and some of the reasons for acquiring this administrative fine and, of course, look in the GDPR itself for more information, but I have summarised the more important points, at least in my opinion. Not having the consent if you are collecting personal information from children so, you need to make sure that you got proper consent from parents in that case; if you are not doing that then you will attract this fine. If you have don't have Security by Design, which is something that we spoke about in the previous webinar. If you are not cooperating with the supervisory authority. This is an interesting topic; so, if the ICO in the UK decides that you haven’t been cooperating with their demands, you could attract this fine. If you are not notifying the ICO in the UK and, of course, the supervisory authority in your region, you could attract this fine. Not communicating to data subjects if you are obliged to after the breach, if you have not conducted the Data Privacy Impact Assessments, again discussed in the previous webinar, and if you are not complying with the rules of having an appropriate DPO, and the obligations that come with having a DPO, then, again, you can attract that lower end of the two tiers. Lower being a strange word for 10 million Euros or 2% of global revenue.
Amar: Yes! It's nothing much for some organisations but the 2% changes the game, doesn't it? And the percentage changes the game actually. Going on to the next one, which is up to 4% or 20 million.
Chris: Yes and our piggy bank in the corner here is really being hit hard now. And just to capitalise on the point that you are mentioning there, I think the percentage is probably more worrying as a risk to most organisations because it's something that is not necessarily quantifiable today, and it’s reflective of your global revenue so that figure can be quite large, and quite worrying. But to attract the higher levels of the administrative fines, you would have to break some of the principles related to processing data. So, for example, you may not have a lawful consent. You might not be able to prove that you are using data minimisation; what I mean by that is you may be collecting attributes from data subjects that you don’t need. It could be that you are processing special categories of personal data when you shouldn’t. That could be anything from religious beliefs to trade union membership to sexual orientation. If you have no legitimate purpose for processing them and you are, you could attract this level of fine. If you are not conducting yourself with regard to the data subjects rights; so, for example, if I request you to forget me or to stop processing my information and you fail to do that within the time frame required or within the boundaries of the requirements, then you could attract this level of fine, too. And the final ones we’ve got here is if you don't allow the supervisorial authority to have access to you, that could be communicative, that could be access to your site for purpose of audit, it could be looking at documentation, again, you could attract that fine. It's slightly subjective but I guess it's up to the supervisory authority to determine, and also if you are ordered to suspend processing, now when we say that we mean by the supervisory authority, and you don't and you continue to process, then you attract the higher level of the fines as well.
Amar: Very important, yes. Well, we were seeing a client several months ago and he was collecting sexual orientation of people and it was clear he did not need it. And people need to get out of this mindset that they need to collect as much data of subject as possible. Only collect data of what you really need to do your business. So, please do keep that in mind otherwise, as we are discussing now, it's not going to be nice when the law is enforced. We are already in the law, it’s already law, it’s already going to be enforced from 2018, May, so please do be aware. Chris, thank you for that and fines are determined, sir. What the fines determined on then?
Chris: Right, so, if the if the fines are not blanket and they are determined somehow, then these are the methods in which it is determined and the ICO, after a breach, at least in the UK, of course, will be your local supervisory authority for anybody outside of the UK, would be using some of these conditions and these are not limited to, there are more in there, in the regulation itself, in order to calculate what your administrative fine would be. So, it could be based on previous breaches; in particular, if it's a breach of the same nature, then it’ll be deemed that you are negligent and you haven't made changes that you should have. The level of cooperation that you are provided to the supervisory authority, if you have been deliberately obstructive, then they might decide to increase the fine. The categories of personal information that are included in this, so again, Amar was just speaking about special categories, if that happens to be a part of your breach then that’s going to be taken more seriously. How the breach became known? The ICO, at least in the UK, and all the other supervisory authorities are quite keen that organisation should be disclosing breaches themselves. If it happens to be a third party that discloses it or even worse, a data subject, then the supervisory authority is not going to look on that too kindly.
Amar: Very much.
Chris: Absolutely. Previous corrective powers used against the controller processes, so very, very similar to previous breaches, if the ICO or the supervisory authority has demanded that you have some kind of corrective process based on a previous breach and you haven't implemented it, you have got nothing to say to that. You’re going to attract a high level of fine in that case, too. And they also take into account any other aggravating or mitigating circumstances. So, there is a little bit of a catch all at the end of this, sort of like an ‘other’ type category, in which they can feed in any other type of cases or evidence that they might want to submit to increasing that fine.
Amar: Totally, but I think even if you ignore the other aggravating circumstances, the point is there are many, many opportunities, if you look at current practices of businesses, that they need to look at and review. To repeat, technology is important but a lot of this is culture and the culture needs to start changing. Whoever is looking at collecting data, why do you need that data? What do you want to do with that data? You need to look at that. It's a cultural change and that needs to start as soon as possible. Chris, additional points, what are the additional points over here? Data subjects have the right to seek compensation. What's the thing on this?
Chris: And I think this is what really destroys those estimations of cost to a business if they were to be found in breach because although you may attract an administrative fine from your supervisory authority, if your data subjects can prove that that breach has brought them distress, then they can also bring about a compensation claim against you as well, which means the administrative fines can actually be way in excess of what we’ve talked about previously in the slides. And there has been a lot of commentary on this lately about the idea of this topic even becoming the next PPI or the next sort of ambulance chasing type activity, class action lawsuits where you’ve got collective people coming together to seek compensation from a data controller or processor. We could start to see those as reality.
Amar: Yes, not good, not good times but yes.
Amar: And distress is something that I think businesses must be careful of. Causing distress is not going be… you are going be fined if you do cause distress to a data subject.
Chris: And distress is a difficult word to quantify and I think there has been a lot of discussion around that, and ultimately it's going to be up to the courts. So, distress, I guess, is a subjective term and it depends on the data subject themselves.
Amar: Excellent! So, Chris, we are almost done for this particular episode, fines and penalties. What are we covering in the next one?
Chris: So, in the next episode, we are going be looking at this new elusive figure in your organisation, potentially in your organisation, called the data protection officer. What the requirements are for one? When do you need one and what's the difference between a DPO, which we tend to refer to them as now, and your existing CISO?
Amar: Excellent! That’s going be... if I could bring that up in the multiple topics. For now, thank you, everyone to listening into episode number five and do remember that you can download the summary sheet for this particular episode, and download the free GDPR preparation kit. Thank you, Chris, and thank you everyone for listening in.