Whilst GDPR data security breach fines look set to hurt non-compliant companies, they will also help to encourage good security governance.
GDPR data security breach fines have the makings of a fiscal horror movie, exposing companies that fall foul of the regulation to fines of up to €20m or 4% of annual worldwide turnover for a corporate group, whichever is greater. This far exceeds the current maximum fine of £500,000 that the UK Information Commissioner (ICO) can impose, so this is understandably causing concern for organisations that control or process European citizens’ personal data.
Indeed, the Payment Card Industry Security Standards Council (PCISSC) estimates that British businesses could face up to £122 billion in penalties for data security breaches when new legislation comes into effect in May 2018.
Whilst this is a sobering estimate, it’s worth noting that the €20m or 4 percent of turnover is the maximum fine for data security breaches and the sharp end of the fining structure.
Alternative to fines
The supervising authority, which is the ICO in the UK, can take a number of other routes if an organisation fails to meet the requirements of the GDPR.
Supervisory authorities have other corrective powers which include issuing warnings and reprimands; compliance orders; and -- in extreme cases -- banning organisations from processing personal data, which could put them out of business.
The fines imposed by the supervisory authorities must be “effective, proportionate, and dissuasive” in each case. These fines have two tiers: the first is broadly for breaches of an obligation by a data controller or processor. The maximum fine for tier one is €10,000,000 or up to 2 percent of total annual global turnover.
The second tier - generally for breaching a data subject’s rights and freedoms - carries a maximum fine of €20,000,000, or up to 4% of total annual turnover of a corporate group.
IDC analyst Duncan Brown comments, “The fines are designed to be dissuasive, so they are meant to hurt. But if you demonstrate good processes, that you are trying hard to comply, my guidance from the regulators is that they will be more lenient.”
So how do companies avoid incurring such significant fines for data security breach? Experts say that the use of encryption and pseudonymisation technologies can significantly reduce the risk of data security breaches.
Proactive breach reporting under GDPR
The GDPR requires a data controller to report a security breach to the authority within 72 hours of becoming aware of it, or provide reasons for any delay. A personal data security breach is defined under GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed.”
As part of the notification, the data controller – usually the company processing its own customer data and bearing ultimate responsibility for GDPR compliance -- must “at least” describe the nature of the personal data breach; the likely consequences; and explain how the data controller proposes to address the breach.
Brian Honan, CEO and security expert at BH Consulting, recommends: “Companies should have a well-prepared incident response process. This should not just focus on the technical aspects of a breach but on the public relations, communications strategy, and liaising with the regulators.”
He adds, “These plans should be tested regularly to ensure they work as expected. Companies should also ensure they have the appropriate monitoring and detection controls on place to enable them quickly identify and assess a breach.”
The key to minimising fines – and data breach costs which could increase significantly given the obligation to inform affected individuals - is for security teams and the DPO to be proactive in securing data and reporting any incidents, as well as demonstrating a positive approach to ensuring security.
“The more information you can provide about the breach the better position you are in, and the more lenient a regulator will be,” IDC’s Duncan Brown advises.
However, rather than focusing on the fines, Brown says “organisations should be looking at what is the best practice, appropriate to the size and complexity of their business. If they focus on that then compliance should be much easier.”