Fine Time: What GDPR Enforcement Could Look Like

Some exclusive research recently landed with Infosecurity that promised to offer an insight into what GDPR fines could actually look like.

Contained in a comprehensive Google Document, the research looks at the annual financial reports of the FTSE 100 and includes their turnover, profit after tax and what impact a fine of 4%, 2% or 1% of the turnover would look like.

Listed as per the FTSE 100 on Tuesday October 2 2017, the research reveals that the company listed #1 on that day – Royal Dutch Shell – would see their entire annual profit wiped out if they were to face a 4% fine under GDPR. In fact, of the 100 companies listed, 34 would see their profit wiped out with a 4% fine, 19 with a 2% fine and 15 with a 1% fine.

Also, 29 of the 100 have already suffered a breach in the last eight years that could incur penalties under the incoming directives. 

According to Article 83 of the GDPR document, point four claims that infringements (in accordance with paragraph 2) would be subject to administrative fines up to €10m, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Further, non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall be subject to administrative fines up to €20m or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

“Generally speaking, breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher level fine,” claimed GDPR Associates. Essentially, a breach deemed to be more “serious” will be more likely to see a 4% fine.

Speaking to Infosecurity about the research, Tenable EMEA technical director Gavin Millard said that the research demonstrates that regulatory fines are a reality, and this is “a great example of quantifying the cost” of data protection.

Saying that the total fines issued by the Information Commissioner’s Office in 2017 totaled £3.1m, this research demonstrates “the cost of not doing data security and not doing right by what you collect.”

Although Millard admitted that the FTSE 100 companies would never face such fines, as they would have the legal power to not face such action, he did say that “for the average organization this shows how much an impact a 4% fine can have.

“When it comes to profit and revenue, 4% is a huge amount of money and a 4% fine would mean 34 of the FTSE 100 would lose profit from 2016, and that is not an insignificant amount of money.”

According to the GDPR guide from the Information Commissioner’s Office: “Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.”  Millard claimed that the research shows that “the larger the revenue the larger the risk and the larger the fine,” and this should help prove that this is “not about infosec, this is pure business risk.”

While the research did raise some eyebrows about its findings, it also found some critics. Rowenna Fielding, data protection expert with Protecture, said that even if the numbers were accurate, the big issue is IF they were issued with a 4% fine, which she believed was NOT going to happen (in the UK at any rate).

“GDPR specifically says fines must be ‘effective, proportionate and dissuasive’ (Article 83(1), so it's unlikely that any regulator will get away with putting anyone out of business. Whether litigation costs will be more significant than regulatory penalties remains to be seen (I think there is a possibility).”

Jon Baines, chair of the National Association of Data Protection Officers (NADPO), said: “While I don't doubt the accuracy of the figures in the research, I struggle to see the point of things like this. Article 83 and recital 150 of GDPR make clear that fines must be proportionate and it is highly unlikely that, except in the most exceptional and egregious cases, fines approaching this sort of magnitude will emerge.

“In the UK at least, the ICO has been at pains to point out it will not be doling out huge fines, and that education and encouragement are much more the watchwords.”

The reality is that the fines could be as sizeable as the data protection regulator deems the offense to be. Vicki Gavin, compliance director, head of business continuity, cybersecurity and data privacy for The Economist Group, said lawyers are commonly using ‘fines could be this big’ sticks to scare people into doing way more than they need to for compliance. 

“The intent of larger fines is to punish those who blatantly disregard their responsibilities. The majority of incidents breaches are the result of errors not mal-intent and I believe the ICO will continue to issue sensible fines in those cases,” Gavin said.

“I believe the reason for the large limit is so that no-one can say definitively that the cost of compliance is greater than the cost of the potential fine and eliminate that loophole that less reputable organizations have been using for some time.”

Whether the figures turn out to represent reality will not be known (possibly) for months, or even ever, but as Millard said “a fine could wipe out your profit” and GDPR has placed an emphasis upon protecting data.

Where can organizations turn to make sure they avoid fines of the size displayed in the research? Millard said that his customer conversations show investment in four main areas: the first is knowledge on where data is and what they are collecting, second on whether data is protected and encrypted, third is about improving foundational security and improving the overall posture of an organization and the fourth is having a really robust incident response plan for when things go wrong.

GDPR becomes a reality in fewer than six months and the reality of a regulatory fine should prove the need to achieve compliance. That prospect can be daunting, but conversations Infosecurity has had prove that if you are compliant with the 1998 Data Protection Act, then you have the majority of work done and it’s mostly about ensuring consent with your clients.

The scary part of GDPR has been detailed, the next job is to avoid being in the headlines.

What’s Hot on Infosecurity Magazine?