The EU's Article 29 Working Party has already had a busy month. Following the group of European regulators' early-October plenary session, there has been a slew of releases, including new draft guidelines on data breach notification and profiling and automated decision making.
Then, on Friday, the group posted a document many have awaited with much interest: the final guidelines on the application and setting of administrative fines under the GDPR (warning: downloads PDF). Just what does an organization have to do in order to incur that oft-quoted fine of 4 percent of global turnover?
Well, the WP29 doesn't go so far as to outline specific scenarios that would trigger the largest-possible fines, but they do lay out assessment criteria with which you can create your own. And they also let you know, clearly, that failing to listen to your data protection officer is a bad idea.
First, data protection authorities will consider the "nature, gravity and duration of the infringement." The guidelines note that "minor infringements" certainly exist as outlined in the Regulation, and that there are cases that might only trigger a reprimand, especially where whatever happened "does not pose a significant risk to the rights of the data subjects concerned and does not affect the essence of the obligation in question." Further, if a fine would impose a "disproportionate burden" on a "natural person," then a reprimand might be appropriate.
And the guidelines specifically state that "detailed calculation work" regarding the size of fines will likely be revealed in a subsequent set of guidelines.
However, in large part, DPAs are instructed to consider the following factors in determining the size of a fine:
The number of data subjects involved. As a rule of thumb, the more people affected, the bigger the fine, especially if the number is larger because of repeatedly doing the same thing, rather than a single isolated incident.
The purpose of the processing. DPAs will examine closely how the organization has addressed the purpose limitation principle, in regard to both purpose specification and compatible use.
The damage suffered by data subjects. While DPAs are not competent to award compensation to the data subjects themselves, they are encouraged to consider the damage suffered, or likely to be suffered, as suggested by examples of the "risks to rights and freedoms" in Recital 75:
[W]here the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
The duration of the infringement. A long time isn't bad, per se, but may be indicative of willful conduct, failure to take appropriate preventative measures, or an inability to put place required technical safeguards.
Given the above, there are two other factors that might incline a DPA to ratchet up or down the fine amount.
If the DPA finds that the violation of the GDPR is a result of negligent or intentional behavior, that would make a fine more likely. Intentional breaches of the GDPR would be indicated by activities expressly dictated by the organization's highest management, for example, or "amending" a set of personal data to make it look like the organization was in compliance when it wasn't. The negligent behavior might be failing to simply keep up with the latest security practices or failure to actually follow a policy put in place by the organization itself.
Perhaps most interesting for privacy pros is that the WP29 specifically says that actions taken "in spite of advice from the data protection officer" may be considered "intentional" and therefore trigger higher fines.
On the other hand, if the organization has taken certain actions "to reduce the consequences of the breach for the individual(s) concerned," then that "responsible behavior" will be considered in the calculation of the sanction. You don't get bonus points for having good security or performing data protection impact assessments, however. That is an organization's "obligation," the DPAs make clear. Whereas taking responsibility and making efforts to limit impact definitely will count in your favor.
One lingering question that many people have asked, however, is answered fairly definitively: If a subsidiary runs afoul of the GDPR, is the corporate parent tied in to determine "global turnover"? Yes. In the guidance, the WP29 writes that "the concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries."
Photo credit: Images_of_Money Euros Isolated on White Background via photopin (license)