Last year, before the EU’s General Data Protection Regulation, or GDPR, went into effect, we posited this question: “What if mis-managing customer data could cost your company 20 million Euros or four percent of global revenue – whichever is greater?”
Nobody seemed overly concerned that the maximum penalty for non-compliance with GDPR would allow a company to be fined just that.
At the time, the numbers seemed so excessive that many people assumed it was a scare tactic rather than a real threat.
How times have changed.
Holy hack, Batman: Potential $1.63 billion in fines
Organizations of all sizes have been wondering how penalties for the GDPR would play out, and when Facebook stunned the world over the weekend disclosing a hack that allowed attackers to gain access tokens to at least 50 million accounts, companies began paying attention.
Ireland’s Data Protection Commission (DPC) watchdog group is not happy, and are threatening Facebook with a fine as large as $1.63 billion in response to the hack.
The DPC specifically expressed concern that despite the breach being discovered several days before the announcement, to date, there is still not a clear picture of the nature of the breach, and its potential risk to users.
If successfully prosecuted, this would mark the first $1 billion-plus enforcement event since the GDPR regulation took effect, and would certainly seem to back up language in many of its articles, including this:
“Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox.” Corrective measures, the guidelines continue, should be “effective, proportionate and dissuasive.”
Essentially, the EU has put a structure in place for authorities in each member nation to assess fines under GDPR, and has encouraged them to set big fines for big violations.
Goliath awakening: The biggest companies have the most to lose
As we’re seeing this week, the largest companies are especially vulnerable, because the guidelines say the maximum penalty of 4 percent of global revenue applies to the parent company – not just an individual business unit that goes astray.
Some of the triggers for enforcement laid out in GDPR guidelines include:
- Top management deliberately abusing customer privacy rights, such as “selling data as ‘opted in’ without checking/disregarding data subjects’ views about how their data should be used.”
- Ignoring advice from the organization’s data protection officer (DPO), a new watchdog role required under GDPR.
- Organizations failing to adopt “structures and resources adequate to the nature and complexity of their business … (organizations) cannot legitimize breaches of data protection law by claiming a shortage of resources.”
In plain language, the EU is saying it won’t accept “the dog ate my homework” excuses. The only effective way organizations can protect themselves from potentially crippling fines is to understand the GDPR and follow its rules.
The reality is that GDPR can be an existential threat to the corporate bottom line, and the precedent set by EU authorities will undoubtedly change the conversation for many other U.S.-based companies serving consumers in the EU.