GDPR could cost you 4% of global revenue - you need to read this

Introduction

If you hold any personal data on anyone (customer, employee, supplier, etc.) within the EU you are subject to the teeth of GDPR.

GDPR (General Data Protection Regulation) passed into Law in 2016 with a 2-year grace period for implementation which expires 25th May 2018. On this date, GDPR will become fully enforceable throughout the European Union with fines of up to 4% of total worldwide annual turnover for failure.

This level of fine is not to be sniffed at and requires all business leaders to be aware of this new regulation. Under GDPR the geographic criteria is the locale of the Data Subject and the Personal Data, not where the company resides.

To give some context to the financial impact GDPR non-compliance will have, an article by Paul Roberts (digitalguardian.com 2nd November 2017) used the example of Hilton who were fined $700,000 on Oct 31st 2017 for two, 2015 incidents in which the company was hacked, exposing credit card and other information for 350,000 customers.

The $700,000 fine is a comfortable $2 per lost record - but it’s a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. The $700,000 fine, then, was just %.00006 of Hilton’s annual revenue in the year of the breach.

But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU’s General Data Protection Rule (or GDPR) go into effect. Under that new law, data “controllers” like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law’s charge to protect that data.

What does that mean practically for a company like Hilton? Well, the company’s  FY 2014 revenue (or “turnover”) was $10.5 billion. Four percent of that is a cool $420 million dollars - or $1,200 for every customer record lost. Needless to say, that’s a number that will get the attention of the company’s Board of Directors and shareholders.

Regulation vs Directive is there a difference?

A regulation is a binding legislative act and must be applied in its entirety across the EU.

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

A directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how.

GDPR is a regulation which replaces the previous directive (1995 EU Data Protection Directive 95/46/EC).

The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law.

The new regulation provides for administrative fines and a supervisory authority with investigative, corrective, authorisation and advisory powers which are intended to be “effective, proportionate and dissuasive”.

Administrative Fines

There are two bands for maximum fines.

10 000 000 EUR, or up to 2 % of the total worldwide annual turnover

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

1.   the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

2.   the obligations of the certification body pursuant to Articles 42 and 43;

3.   the obligations of the monitoring body pursuant to Article 41(4).

20 000 000 EUR, or up to 4 % of the total worldwide annual turnover

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

1.   the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

2.   the data subjects’ rights pursuant to Articles 12 to 22;

3.   the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

4.   any obligations pursuant to Member State law adopted under Chapter IX;

non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Additional Penalties

If the fines are not eyewatering enough, there is also a provision for additional Penalties to be determined by each EU member state. They should be “dissuasive” and states will need to notify the Commission by 25 May 2018.

Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

1. the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
2. the intentional or negligent character of the infringement;
3. any action taken by the controller or processor to mitigate the damage suffered by data subjects;
4. the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
5. any relevant previous infringements by the controller or processor;
6. the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
7. the categories of personal data affected by the infringement;
8. the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
9. where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
10. adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
11. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

Definitions used within GDPR

 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

Conclusion

Don't ignore this one! If you hold any level of personal data you must take necessary steps prescribed by the regulation.

Talk to us if you are uncertain what to do or wish to validate what you have done so far. www.zendig.co