EU Data Protection Supervisor Giovanni Buttarelli said yesterday that the first GDPR sanctions – fines, ultimatums, bans – will be imposed by the end of this year. Buttarelli co-ordinates the supervisory agencies across the EU, so he probably knows what he’s talking about – and he added that sanctions will be imposed in many EU countries and will affect many organisations and public administrations.
The ICO, of course, has already started. As far back as July, the Commissioner set out in her report a number of regulatory actions that had commenced and, since then, notable fines have been levied against Heathrow Airport (£120,000, for losing a USB stick), the UK branch of Equifax (£500,000 for its part in the massive US breach last year) and Facebook (£500,000 for the Cambridge Analytica breach).
Of course, the fines are really based on the outcome of the investigations that followed identification of the breach; in each case, significant shortfalls in processes, procedures, training, oversight and accountability were identified. These fines were imposed in relation to the DPA 1998, as that was the applicable legislation when the offences were committed. What’s noteworthy is that both the Equifax and Facebook fines were at the maximum permitted under the previous regime, and the fine for Heathrow was nearly 25% of the maximum.
Whatever the ICO may have said about a ‘softly softly’ approach to enforcement, it appears that organisations that have been negligent under the GDPR can expect to face significant financial and other penalties.
This is where EU co-ordination becomes relevant. One objective of the GDPR is to provide a level data protection playing field across the EU. In this context, Spain, for instance, has a track record of imposing fines in the range of €450,000 to €1.4 million. Italy had a theoretic maximum of €2.4 million but in one 2017 case aggregated fines for multiple breaches into a total fine of €11 million. The ICO’s record fines this year indicate significant alignment with those previously levied elsewhere in the EU.
Are you #BreachReady?
So, the key question for UK businesses: are you ready for these fines? Even if you’re not one of the organisations on the early list, there’s going to be an uplift in supply chain worries, and of closer inspection of breach history and cyber security capability. Cyber security and privacy need to be on the board agenda, and the board will need to be able to demonstrate that it has effective governance mechanisms in place to ensure correct management of personal data. Breach readiness is going to be a fundamental organisational capability.
And if you’re not yet in tip-top shape (and data suggests that 75% of UK organisations aren’t yet GDPR-compliant), there’s no better time to get your GPDR project moving than today!