The buzzword among tech circles regarding GDPR is risk adaptive approach, as an effective proactive method to ensure foolproof security of data. While the technical aspects of GDPR are a different dimension altogether, for businesses the all important aspect of GDPR compliance and penalties merit urgent attention. The businesses that met compliance requirements before the 25th of May can heave a sigh of relief, while those that did not turn compliant, need to be aware of how non-GDPR Compliance can impact their future. But before we dive deep into the GDPR Act, let’s first look at what the Act actually means to a business or an individual.
The EU’s GDPR is basically an unified regulation aimed at protecting the data and privacy of EU residents. In other words, any business entity dealing with data that originates from the EU, needs to be compliant with the regulations, regardless of the role or function in the processing/storage of the data. Organisations that are found to be non compliant can be fined by the provisions of the Act which could range from administrative fines, reprimands and data processing bans which could either be temporary or permanent. The fines are expected to be a strong deterrent because of the heavy amount involved. These regulations will have no bearing on the legal mechanisms available to individuals who have been affected by possible breaches.
While the technical aspects of the GDPR are important to meet compliance requirements, the administrative aspect is something that has a direct impact on the bottom-lines. For instance, non-compliance with GDPR can mean that businesses face the prospect of being fined, in addition to warning and reprimands or a possible ban on the processing of EU data. The fines are stiff and are intended to goad businesses into action. The Act comes armed with stiff fines across two different categories.
The first category of fine covers all those aspects where a business has failed to implement adequate technology measures as per the GDPR Act. Violations in this aspect that can result in the compromise of data are levied fines and other punitive sanctions. The fine amount levied is 2% of annual turnover or € 10 million, whichever is higher. There are two aspects worth remembering here. One is that the turnover of the preceding year will be taken into calculation and the second is that the 2% is calculated on the basis of the turnover and not on the basis of profit margin. The amount of € 10 million will apply to firms with a turnover of less than € 500 million, while those with a turnover that is higher will get their fines calculated on the basis of the 2 percentage.
This category pertains to the violation of the core principles of the Act. In other words, any action or inaction that leads to the compromise of the rights of the data subjects will attract the provisions of this category of fines. The maximum fine amount that is levied in this category is € 20 million or 4% of annual, whichever is higher. Similar to the first category, the clauses of ‘whichever is higher’ and turnover apply. What this means for an organisation is that if the annual turnover exceeds € 500 million, the fine amount would be far more than the € 20 million. In addition to the administrative fines, the organisation will have to contend with the fallouts that include a damage to the reputation and loss of clientele as a result of the breaches.
The technical aspects of the GDPR Act are extensive and require extensive audits and implementation to ensure that both the categories of fines are not attracted. However, there is one aspect that is worth mentioning here. Companies need to implement the right processes in the operations. This is necessary to prove that the company made the right attempts to mitigate the damages caused by the breach. For instance, Section 33 of the Act talks of a notification period of 72 hours. This is a pretty straightforward and easily implementable process that can have significant effects after a breach. Companies are expected to pass on the information about the breach within the particular period. The importance of this section is that after a violation of any aspect of the Act or an incident, an investigation is likely to be carried out. And the outcome of this enquiry will determine the extent of fines. A company that has in place measures to mitigate the effects of the breach will attract lesser penalties when other factors combine in its favour.
There are other actions, in addition to the fine – some of which are not so serious, while others can be debilitating to the status of an organisation. For instance, the Act can let off an entity with a warning or a reprimand instead of a fine or in addition to the fine. This is not very serious, considering that a warning or reprimand will have the effect of helping the company to get its act in order. A possible data processing ban on the company can deal a deadly blow to a company. Bans that are possible include temporary and permanent. Even if the ban is temporary in nature, it is highly likely that the company will be able to recover from the effects of the ban. A permanent ban will signal death knell of the company. This makes it important for companies to stay within the regulations always and prevent the ugly situation of having to face a ban.
After an incident or breach, an assessment will be carried out to ascertain the extent of penalties or nature of other administrative action. This assessment will look into various aspects before recommending the penalties or action. Companies need to be aware of how the assessment will be carried out. By understanding the different parameters of the assessment it will be easy to mitigate the effects of the administrative action or fines. For instance, the assessment will verify if intimation was shared on time, if there were attempts to control the breach, or if the company had measures in place to prevent the breach. These and many other factors will be considered as part of the assessment. Companies that address these issues, will be able to reduce the exposure to a breach and more importantly, face lesser punitive action in the event of an actual breach.
A large number of incidents have rocked organisations globally. These incidents have shaken the confidence of clients and customers. A company that is compliant with GDPR will find that, in addition to preventing punitive actions, the compliance will help make the company more robust in security. While the GDPR Act is intended to safeguard the rights and data of EU residents/citizens, it aims to bring about heightened security and processes through deterrence. This effectively means that fines will not be levied in a binary ‘yes’ or ‘no’ manner, but will actively consider all the circumstances before taking any action. However, companies will do well to stay compliant, not only because of the need to avoid the penalties, but also because of the need for increased safety. GDPR Compliance will automatically improve the safety measures and throw a wall of safety around the operations.