GDPR fines, Panic!..
Though, it is fair to say that panic does not often lead to correct judgement, no?
So why in this time of imminent change are so many people succumbing to base instinct, curling up in the shadow of the General Data Protection Regulation. They could instead be taking a step back, and taking the time to learn the demon at their door.
If they did, then they may learn that it is not a demon at all… it is an angel of trust. Right, enough with the cheesy personification.
The GDPR is not a crafty device that allows the ICO to take more and more of your hard-earned money. It is primarily a function of keeping our sacred personal data secure. Yes, mine, yours and everyone else’s.
As the Information Commissioner Elizabeth Denham puts it, it is “about putting the consumer and citizen first”. It gives the ICO more pushing power for ensuring that a company protects the personal data that it holds.
Further, Denham says that “it’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm”, clearly, issuing GDPR fines is anything but the priority for the Information Commissioner’s Office. Out of 17,300 cases from the year 2016 to 2017, only 16 ended with fines for the organisations.
Rising Maximum GDPR Fines
The potential for fines is rising with the new legislation, with the largest of fines reaching €20m or 4% of the company’s annual turnover.
But why the need for increasing the maximum GDPR fines? Simple, Denham explains that “heavy fines for serious breaches reflect just how important personal data is in the 21st century”.
A company cannot operate without caring for personal data and expect a light tap on the wrist.
TalkTalk were fined a record £400,000 in 2015 under the Data Protection Act, where the ICO’s investigation concluded that TalkTalk could have prevented the attack. A basic exploit was used to access 156,959 people’s personal data. In most cases, this included bank details and sort codes. This is incredibly valuable data, which could easily be used to steal money from thousands of TalkTalk customers.
The negligence on the company’s part, and the sensitive nature of the data lost, is precisely why the ICO issued such a hefty fine. Under the General Data Protection Regulation, it is estimated that TalkTalk would have been fined somewhere closer to £60m… lucky for them, GDPR fines are not retroactive.
The Costs for Avoiding GDPR Fines
To your average company, £400,000 is a considerable chunk of money, but for a multi-million or even billion pound company, it is a lot less overwhelming. That is not to say, however, that being GDPR compliant is cheap. It costs time and money to put all the correct procedures in place, with even higher costs for bigger organisations who hold more data. A study conducted by GlobalSpace concluded that the average cost of compliance rose by 43% from 2011 to 2017, for their sample of 53 multinational organisations. With the cost for non-compliance being double the cost of compliance in some cases.
The fines need to be higher than the cost of compliance, so that being compliant is cheaper. Money is a clear and powerful incentive.
No customer wants their personal data held insecurely, such as in the case of TalkTalk. Leading to another facet, or rather a sharp edge, of GDPR. Fines are not the only loss a company can suffer. If a company has insufficient safeguards for handling personal data, and this data is lost or stolen, customers are then likely to avoid them in the future.
Are GDPR Fines Insurable?
Can GDPR fines be insured? Well, Information Commissioner Elizabeth Denham finished her article saying that “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective… While these will not hit organisations in the pocket – their reputations will suffer a significant blow… And you can’t insure against that.” A company may have very extensive insurance, but reputation is very likely not on that list… Most companies cannot afford to lose their customers’, employees’, or business partners’ faith and loyalty.
Being a secure organisation will mean only working with organisations who are also secure. There is no use in having every protocol in place to ensure your company protects personal data, if you then share this data with another company who does not. This is the standpoint for the ICO. Fines are just as prominent where the data you share with third-party organisations is stolen or lost as a result of their bad data security. Responsibility will be held on both organisations’ shoulders.
Nicholls Law, Experts on GDPR