Non-compliance is a costly mistake for businesses of all sizes
Sharing personal data with third parties is a big concern in 129 countries … and 20+ countries are working on finalizing their privacy laws!
Download our latest GDPR report — it’s free!
The highest GDPR fine is so far € 746,000,000!
Most of us have heard of the European General Data Protection Regulation (GDPR), but what about the other privacy laws, such as the UK GDPR, LGPD, POPIA, PDPL, DSG, and PDPB?
Businesses have no choice but to keep up to date with the different privacy laws to avoid any non-compliance penalties. Fortunately, the laws resemble much one another, but we’ll be addressing one of the strictest privacy laws in the world: GDPR.
The reason organizations get fined
What exactly is considered “personal data”?
Basically, anything that can identify an individual.
The General Data Protection Regulation (GDPR) defines “personal data” as
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” Art. 4 GDPR
In other words, any direct and indirect data that can help identify an individual will be considered “personal data”.
Examples of personal data include:
Name, email, phone number, social security number, credit card information, address, photos, videos, audio files, gender, religious beliefs, political opinions, transcripts, chat history, files about a person’s professional or personal life, and much more.
Data that has been pseudonymized might fall under this category if it’s relatively easy to identify someone from it.
The heavy fines are issued for carelessness!
Don’t ever collect, process, or use someone’s personal data if you cannot protect it. GDPR regulators will particularly look if you’ve embedded the following concepts into your organization.
1. The Principle of Accountability
Did you know 54,33% of all GDPR fines are caused by disregarding this principle?
Most businesses think that using a GDPR-compliant solution will automatically make them compliant - and that’s a big mistake!
According to GDPR, the data controller (i.e. your business) must be able to demonstrate compliance.
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1”
In other words, if you cannot show how you’re processing and protecting personal data, then you are not GDPR compliant!
Regulators (i.e. the people who evaluate your compliance level) don’t want businesses to think of compliance as a “tick-box” exercise. Rather, they want companies to demonstrate their approach to data protection and that compliance is embedded in the culture of the organization.
Some ways to demonstrate compliance could be:
- To educate staff about privacy laws and data protection strategies (e.g. training sessions, online courses, technology, etc.)
- To appoint a Data Protection Officer or equivalent (e.g. privacy champions, privacy committee, etc.)
- To show that you are actively protecting your (sensitive) data that is shared with third parties (e.g. Tricent)
- To show that you have a Data Processing Agreement in place with third parties
“It's an advantage if businesses can demonstrate that they have been proactive when it comes to data protection”
— Jonas Anderson, GDPR specialist
2. Insufficient measures to data security
The second most expensive fine that affects every fifth organization!
Failure to implement “appropriate technical and organizational measures” has cost businesses around the world € 67,286,519 in fines up until July 2021. But what exactly does it mean?
In essence, it addresses the “how and what” organizations are doing to protect their personal data on a technical and organizational level.
Technical measures for protecting personal data could be to use encryption, multi-factor authentication, data loss prevention, pseudonymization, VPNs, and Tricent.
Organizational measures for protecting personal data could be to have a data protection strategy in place, train staff on what can vs. cannot be shared with 3rd parties, limit employees’ access to personal data, etc.
“The more businesses can show and prove what they have done, the better.”
— Jonas Anderson, GDPR specialist
3. Data protection by design and by default
A company was imposed a fine of € 22,046,000 for violating articles 5, 25, and 32!
Organizations must think data protection by “design and by default”. This essentially means at all times, situations, and activities. That is, if they want to avoid risking a (heavy) GDPR fine.
“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
Suppose you need to get a contract reviewed by a third party. You’d have to think of: the security behind the different file-sharing options (e.g. email, cloud, legacy systems, etc.); what are the privileges of the recipient(s), and for how long should the file be made accessible to them.
Like the principle of accountability, organizations must be able to demonstrate the reasoning of their data protection approach. The more you’re able to “design” data to actively protect the personal data, the better your are off.
“Those who get the highest fines are typically those who have said 'this has nothing to do with us”
— Jonas Anderson, GDPR specialist
Avoid making the same GDPR mistake
Who got fined in your industry?
GDPR Enforcement Tracker is a tool that lists all GDPR fines throughout time.
It explains which GDPR articles an organization has violated, why they were fined, and provides a link to the official statement.
Make sure to pay attention to the article that we have already covered (5, 25, and 32)
Is it 2% or 4% of global revenue, or €20.000.000?
GDPR applies to all organizations that deal with personal data of European citizens or residents, but the size of the fine will ultimately depend on the organization’s ability to demonstrate compliance (Article 5).
Unable to do so will could result in a fine of up to €20 million, or 4% of the organization’s global annual revenue (whichever is higher).
Organizations that are able to demonstrate compliance, but have not enforced organizational measures to protect personal data, may risk fines of € 10 million, or 2% of the organization’s global revenue (again, whichever may be higher).
Each situation will always differ, that’s why we suggest you consult GDPR professionals to guide you through your current data protection setup.
However, you can use article 83 to get a better understanding of how the size of fines is determined.
Compliance goes beyond GDPR, right?
New privacy laws are being introduced, as more and more countries are taking extra security measures to protect the lives of their citizens and residents.
If you’re an international organization, it could mean that you’d need to be extra attentive, as it can be a costly mistake. Being non-compliant can lead to multiple fines across multiple nations.
The United Nations Conference on Trade and Development (UNCTAD) has listed all privacy and cybercrime laws around the world.
Most people don’t remember to unshare files they’ve shared with others. Tricent remembers for you!