The European Unions new data protection law, the General Data Protection Regulation (GDPR), went into effect on May 25th, 2018. The GDPR is a broad and substantial regulatory change meant to create uniform standards by which users personally identifiable information (PII) is stored, transmitted, and protected against theft. Many companies may be bound by the GDPR and not realize it. As such, they are at risk of being found non-compliant with the GDPR which can incur significant fines. In this article, well outline who is covered by the GDPR and explore the penalties that businesses can incur by being found non-compliant. The GDPR sets a high bar for compliance, and may require businesses to significantly change what types of data they store and how that data is stored. As such, a GDPR risk assessment or GDPR readiness assessment conducted by a qualified security assessor is essential to identifying areas of non-compliance and creating a comprehensive GDPR compliant data management system going forward.
Who is Covered Under the GDPR?
Although the GDPR is already in effect, it is not too late for companies to become compliant. The first step towards compliance is figuring out if your business is subject to the GDPR regulations. Most large businesses, such as multinational corporations, have been well aware of the GDPR regulatory changes and have moved towards compliance. However, many smaller businesses outside of the European Union may not realize that they too are bound by the GDPR regulations and may be fined for non-compliance. Because of the stiff penalties for non-compliance, it is essential to move quickly to assess whether you are in-scope and then move forward to meet the regulatory changes for GDPR readiness.
Despite the fact that the GDPR was crafted by the European Union it has a global reach. There are two ways that the GDPR defines the scope of who is covered by the regulation. First, if your company processes data and is based in the EU, then you must maintain compliance with the GDPR. This can be confusing for companies that are based in the EU but process their data in another location. It is important to understand that even if a company process their data outside of the EU, if they process personal data and are based in the EU then they must comply with GDPR requirements.
The second provision that defines the scope of the GDPR is even more far-reaching, and affects many businesses that are based in the United States and outside of the European Union. Companies that are based outside of the European Union but interact with individuals in the EU, including through goods, services, or the monitoring of individuals, are considered under the umbrella of the GDPR. As such, any business that is based in the United States but sells goods or services to individuals anywhere in the EU must maintain compliance with the GDPR. The broad scope of the GDPR implementation may come as a surprise to many smaller businesses in the United States, but keep in mind that the GDPR is intended to protect the PII of individuals within the EU, regardless of where that information is processed or stored.
In addition to the two provisions in the GDPR that outline the scope of who is affected, the regulation also outlines what is considered personal data. This is important for businesses to understand whether the types of data they handle from individuals within the EU is considered under the scope of the GDPR definition. The GDPR defines personal data broadly, meaning that if you process and store nearly any data about individuals within the EU then you are required to comply with GDPR data regulations. The GDPR defines personal data as any information that relates to an identified or identifiable, living individual. It is important to note as well that information that has been de-identified, but can be utilized to reconstruct the identity of an individual is covered under GDPR regulations. Information that has been rendered irreversibly anonymous is not covered under the GDPR.
One common mistake that smaller companies also make when assessing whether they are considered in-scope for the GDPR is the belief that only information processed and stored digitally is covered. The fundamental goal of the GDPR is to safeguard the storage of PII of individuals in the EU, while also making that process more transparent to the individual. PII that is processed and stored digitally is obviously the predominant component of this, especially given the massive data breaches that have occurred in recent years. However, the GDPR also applies to businesses that process and store personal data for individuals in the EU by paper. Any company that keeps hard copies or records of personal data for individuals from the EU must also maintain compliance with the GDPR. This means that these companies must ensure that the same strict requirements for how personal data is processed and stored digitally must be applied to their physical storage systems as well.
Penalties for Non-Compliance
If you are covered by the GDPR, non-compliance can lead to significant financial penalties. In addition to financial penalties, non-compliance that results in a data breach can lead to reputational harm, loss of consumer confidence, and may require your company to compensate individuals affected by the breach. The gdpr fines for noncompliance are significant enough to affect the ongoing profitability of an organization, thus making compliance with the GDPR an organizational priority moving forward. The fines for non-compliance are calculated based on a number of criteria outlined in Article 83 of the GDRP. These criteria are:
- If non-compliance results in a data breach, the severity of the data breach including the numbers of individuals affected, the types of information involved in the breach, and the scope and duration of the breach are all considered when determining a fine.
- If a data breach is the result of negligence or intentional malfeasance.
- Efforts by the company or data processor to mitigate the harm to individuals as a result of the data breach are also weighed when determining fines.
- The level of responsibility the company or data processor has for the resulting infringement.
- If the business or processor works closely with the regulatory authority to rectify the breach and eliminate the chances of a future incident this will be taken into account when assessing the fine.
- The categories of personal data that were affected by the breach will be taken into consideration when levying a fine.
- When the company became aware of the breach and how promptly they notified regulatory authorities. It is important to note that the GDPR requires businesses that suffer a breach to notify them within 72 hours of the breach and notify the individuals affected by the breach as promptly as possible.
- The history of the data processor or company will be considered when levying a fine. This includes instances of non-compliance or breaches in the past.
- The regulatory authority will also consider the degree to which the company adhered to the codes of conduct outlined in Article 40 of the GDPR, as well as the certification mechanisms in Article 42.
- The regulatory authority will also assess a number of other factors that may result in higher or lower fines being imposed. These can include any financial benefit, or losses avoided, that the company may have had as a result of the infringement.
In addition to these criteria, there are also two tiers of fines that can be imposed for non-compliance with the GDPR.
This can be considered a lower level infringement of the GDPR. This carries with it the maximum penalty of 2% of the global annual revenue for the company for the previous financial year, or 10,000,000 EUR depending on which is higher. In order to meet the qualifications for the lower tier of fine, a business must have violated the following provisions:
- The requirements of the controller and processor as outlined in Articles 8, 11, 25, 39, 42, and 43 of the GDPR.
- The requirements of the certification body as outlined in Articles 42 and 43 of the GDPR.
- The requirements of the monitoring body as outlined in Article 41 of the GDPR.
The second tier of fines for non-compliance with the GDPR imposes a maximum penalty of 4% of the total annual revenue for the previous financial year, or 20,000,000 EUR, depending on which one is greater. In order to incur this penalty, a company must have violated the following provisions and requirements of the GDPR:
- The processing principles and conditions for consent outlined in Articles 5, 6, 7, and 9 of the GDPR.
- The rights of the data subject as outlined in Articles 12 and 22 of the GDPR.
- The transfer of personal data to an individual in a third-party country or an organization outlined in Articles 44 and 49 of the GDPR.
- Violations of Member State law.
- Non-compliance with an order from the regulatory authority or with requirements to limit or stop processing data as a result of a data breach or violation.
How Can Companies Under the GDPR can Assess and Maintain Compliance
The level of complexity and scope required of companies in order to maintain compliance with the GDPR can be daunting. Large companies that operate multinationally are probably already ahead of the curve as far as ensuring compliance goes. For the rest of businesses required to maintain compliance with the GDPR, understanding the scope of what is required of them can be a difficult and expensive process. Ensuring compliance with the GDPR is an ongoing process that is comprehensive. Companies and businesses must understand that all departments within their organization must be privacy-minded and must recognize and adhere to the best practices and standards put forth in the GDPR.
The level of complexity and scope of requirements to maintain compliance with the GDPR is much farther reaching than what many companies may be familiar with. Consider that the definition of what is considered personal data is far wider in scope than what has been traditionally considered personally identifiable information (PII) in the United States. Maintaining compliance with the GDPR requires your organization to both recognize that all personal data is sensitive, and approach data protection and processing from a privacy-centered perspective. The data protection officer should oversee these activities. You can explore more about the steps an organization needs to take to reach a stable level of compliance with this helpful GDPR centered guide to personal data security.
Bringing your organization up to compliance with the GDPR may take time and resources, and will almost certainly require you to change the way you interact with, process, and store personal data. The types of data that you store may also change. In order to facilitate this process, it is highly recommended that your organization have a third-party risk assessor conduct a GDPR risk assessment. Third-party risk assessors have a long-standing history of helping organizations secure the PII of their customers or users. A gdpr consultant will verify the integrity of your personal data processing systems and services while conducting a comprehensive check for gaps in security that may lead to non-compliance. The best practices and standards used to ensure your data systems, processes, and storage solutions are protected against outside intrusion are consistent with GDPR regulations.
Third-party risk assessors that offer gdpr consultancy services help bring clarity to the confusing process of maintaining GDPR compliance, while also helping organizations craft and adhere to industry accepted best practices regarding how personal data is processed, used, and stored, as well as outlining which types of data a company should be stored in the first place. Third-party risk assessors explore every avenue of data transmission and access to ensure that all avenues of risk for a data breach of infringement of the GDPR regulations are recognized. Third-party risk assessors will then work with a company to ensure that a comprehensive data security solution is in place that addresses any gaps in security and creates the correct framework for ensuring ongoing data security and compliance moving forward. Additionally, third-party risk assessors can be relied on to provide external intrusion testing on a regular basis to ensure that your systems stay secure. Combined with crafting an actionable plan in the event of a data breach or security event, third-party risk assessors fulfill a vital role in helping organizations attain GDPR regulatory compliance and maintain it over time.