Administrative Fines and the GDPR
We often hear that the difference between GDPR and earlier data protection legislation is that it has teeth. This has definitely been no truer this month when large fines for data breaches where proposed of £99 million STG (Marriott International Inc.) and £183 million STG (British Airways) hit the headlines in the UK.
Let’s look at the area of GDPR fines and see what we can learn.
To begin let’s look at what the GDPR actually says about fines. Article 83 of the GDPR discusses the levying of fines. In Article 83.4 of the GDPR states €10 Million, “or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher” […] for breaches of the GDPR involving the general duties of controllers or process, children’s data, certification or processing that doesn’t require identification.
In Article 83.5 even higher fines of €20 Million, “or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher” […] for breaches involving among other things, the GPDR principles, rights, legal basis of processing, consent, special category of data and data transfers to third countries. Under Article 83.6 a large fine can be levied for non-compliance with the national data protection supervisory authority regardless of the original data privacy infraction.
The GDPR allows each country to decide under Article 83.7 as to whether they impose fines on state/public bodies. There had been talk that in Ireland public bodies would be exempted from administrative fines. However, in the end the Data Protection Act 2018 Section 141 allows for fines of up to €1 million to be levied on public bodies for data protection violations.
So why are we now hearing so much on proposed fines? Firstly the GDPR has been law for over a year so complaints made to the national data protection supervisory authorities since then fall under the new regulation’s remit. In addition, breaches have been reported and individuals have used the GDPR to assert their privacy rights with their national supervisory authority or in the courts.
In the UK, the ICO - the British national data protection supervisory authority, proposed their intention to levy the heavy fine on Marriott International Inc. because of a data hacking incident which affected 339 million guests, many of them based in the GDPR area (EU/EEA). The ICO said in their statement on 8th July 2019 “The GDPR makes it clear that organisations must be accountable for the personal data they hold” The proposed British Airways fine was for cyber attack incident involving approximately 500,000 customers’ details which were harvested in the attack. The ICO cited issues with security and said in their statement on 8th July 2019 that “when you are entrusted with personal data you must look after it”.
Fines don’t only affect large multinational companies; they can be levied at any organisation from local authorities to schools. In Norway the national supervisory authority for data protection Datatilsynet placed a fine on the Municipality of Bergen of €170,000. According to Datatilsynet website “The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools.”. the national supervisory authority stated that the breach violated “both art. 5(1)f (integrity and confidentiality) and Art. 32 GDPR (specifics on security of processing)”. As the data subjects were children (vulnerable people) this was a factor in the decision.
In Ireland to date the national supervisory authority has not made fines under GDPR but has a number of investigations ongoing so it may be only a matter of time before these are imposed.
So… the golden question how can an organisation avoid these hefty fines? The answer is simple; obey the data protection laws. This means processing personal data with a legal basis, knowing what you have, not holding for excessive periods and following all the other provisions of the legislation as relevant to your business. Most importantly you need to maintain that standard, checking systems for weaknesses (keeping data secure) and constantly seeking to improve your Organisation’s approach to data protection through review of processes, policies and procedures in action, so that you remain consistently accountable and secure when processing personal data.
Enguard can assist with the issues which the GDPR raises from audit, security, staff training to drafting policies and procedures. For further details please call us at Enguard on 0818 252 052 or email firstname.lastname@example.org. We would love to hear from you!
Disclaimer: Please note the above article is an opinion piece based on current sources of information available at time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers.