Insights

The GDPR Drivers: Penalties and Offences


By Daragh O Brien
December 31, 2015
47min read

[Note: This post is not intended as legal advice but is for information purposes. Also, as the final text of the Regulation has not yet been published, Article references may differ post Q1 2016. We will update this post when the final text is released for publication to the Official Journal of the EU]

The General Data Protection Regulation contains a significantly increased scope of offences compared to the current Irish Data Protection Acts. Perhaps most significantly, Article 79 of the Regulation explicitly requires that supervisory Authorities (the Data Protection Commissioner) ensure that in each individual case administrative fines are “effective, proportionate, and dissuasive”.

This means that a stern talking to and a donation to the Poor Box may no longer be adequate, except in the most low-key, low-risk cases. The “dissuasive” character of the required penalty is actually necessary to get over a behaviour that I have, in the past, termed “mental discounting“. In short: the penalty will need to be enough to make the executive management of the organisation sit up and take notice. It will need to be have material impact on their bottom line greater than the cost of allowing the offence to continue.

However, the Regulation doesn’t set an automatic penalty but requires Data Protection Authorities (through their co-operation mechanism) to agree a framework for penalty thresholds based on the extent of non-compliance and mitigating factors/controls the organisation had put in place. These mitigating factors are indicative of good Information Governance practices and are not limited to purely traditional “IT” or “Legal” measures.

The GDPR sets out two general categories of offences and associated administrative penalties, which I term “2% Offences” and “4% Offences”. Note that it is possible in a given set of circumstances that a particular incident could result in potential offences under either or both categories, and it will be at the discretion of the relevant supervisory authority which penalty to pursue (subject to the requirement for it to be “effective, proportionate, and dissuasive”

The 2% Offences

Offences under Article 79(3) are subject to fines of up to €10,000,000, or 2% of global turnover. Acts or ommissions which are likely to constitute an offence under the GDPR in the 2% category include:

  • Article 8 (Consent for children’s data)
    • Failure to make reasonable efforts to verify that a child is not below an age where parental co-consent would be required (minimum 13 years old, default 16 years)
    • Failure to make reasonable efforts to verify that consent is given/authorised by a “holder of parental responsibility over the child”
  • Article 10 (Processing not requiring identification)
    • ​Requesting identifying data from a Data Subject for the sole purpose of complying with the Regulation where the purposes of processing do not/no longer require the identification of the data subject. [This is basically a “retain for no longer than is necessary for purpose” requirement, with the addition of a “don’t ask for it again if you shouldn’t still have it” addition]
    • Failing to inform the Data Subject that they are not identifiable in data under the controller’s control.
  • Article 23 (Data Protection by Design & Default)
    • Failure to implement at the time of determination of the means of processing (design) and at the time of processing itself, appropriate technical and organisation controls in an effective way and to integrate necessary safeguards into processing
    • Failure to implement appropriate organisational and technical measures to ensure that, by default, only data necessary for each specific purpose are processed, including access controls.
  • Article 24 (Joint Controllers)
    • Failure to define and determine responsibilities of joint controllers.
    • Failure of a joint controller to respect a Data Subject rights request
    • Failure to make “essence” of Joint Controller agreement available to the Data Subject (I’m not sure what level of detail constitutes “essence of the agreement”)
  • Article 25 (Representatives of Controllers in the EU)
    • ​If an organisation based outside the EU, but which is engaged in offering goods or services to data subjects in the EU, or is engaged in the monitoring of their behaviour, then they will commit an offence unless they can demonstrate that the processing is occassional, and does not relate to special categories of data or is unlikely to result in a risk to rights and freedoms of data subjects.
  • Article 26 (Processors)
    • Failure to use a Data Processor providing sufficient guarantees to implement appropriate technical and organisational security measures to meet requirements of Regulation
    • Engagement of a sub-processor without prior written consent of the Data Controller
    • Failure to have a contract or legislative basis binding processor to controller that meets the requirements of Article 26(2) of the Regulation
    • Failure to engage sub-processors/contractors on terms equivalent to the master contract with the Data Controller
  • Article 27 (Processing under the authority of the controller or processor)
    • ​Processing by a data processor or sub-processor in a manner other than on instructions of the data controller or as required by EU or Member State law.
  • Article 28 (Records of Processing Activities)
    • Failure to maintain a record of processing activities that specifies (shall contain) information set out in Article 28(1), unless you employ fewer than 250 people and your processing of personal data is only occasional, does not include special categories of personal data, or does not result in a risk to rights and freedoms of the data subject.
    • ​Failure to maintain a record of processing activities that contains the information set out in Article 28(2a) – including documenting who you process data on behalf of, unless you employ fewer than 250 people and your processing of personal data is only occasional, does not include special categories of personal data, or does not result in a risk to rights and freedoms of the data subject.
    • Failure to make records of processing available on request to supervisory authorities.;
  • Article 29 (Co-operation with Supervisory Authority)
    • ​Failure on part of controller, processor, or their representative, to co-operate on request with the supervisory authority in the performance of their tasks.
  • Article 30 (Security of Processing)
    • ​Failure to implement appropriate technical and organisational measures to ensure a level of security appropriate to risk to individual rights and freedoms.
      • Failure to pseudonymise or encrypt data where appropriate
      • Failure to ensure an ability to ensure ongoing confidentiality, integrity, and availability/resilience of services processing personal data, where appropriate
      • Failure to ensure the ability to restore availability and access to data in a timely manner, where appropriate [in effect this and the previous make not having Business Continuity Planning as part of your Information Security Management System an offence]
      • Failure to have a process for assesing the effectiveness of technical and organisational controls for security (where appropriate).
  • Article 31 (Notification of Data Breach)
    • ​Controllers who fail to notify the relevant supervisory authority within 72 hours will have committed an offence, unless the breach is unlikely to result in a risk to rights and freedoms of individuals. Notifications made after 72 hours must be made with a reasoned justification for delay (which may be a mitigating factor in assessing the penalty).
    • Failure on the part of a Data Processor to notify the Data Controller without undue delay once they become aware of a personal data breach is an offence.
    • Failure to maintain documentation of personal data breaches, facts, and remedial actions taken. [as a ‘good practice’ note, I’d include ‘near misses’ here so that Supervisory Authority can see evidence of effective operation of controls]
  • Article 32 (Communication of a data breach to the Data Subject)
    • Failure to notify data subjects, either directly to the individuals or by way of an equally effective public communication, without undue delay where the breach is likely to result in a high risk to the rights and freedoms of individuals, except where the data has been rendered unintelligible, or subsequent measures have been taken to ensure identified risk is no longer likely to materialise, or communication to individuals would involve disproportionate effort. [Note that the Regulation requires, in cases of disporportionate effort, an equivalent public communication is required]
  • Article 33 (Data Protection Impact Assessment)
    • Failure to carry out, prior to processing, an assessment of the impact of processing likely to result in a high risk fo rthe rights and freedoms of individual, in particular where:
      • the processing constitutes a systematic and extensive evaluation of personal aspects relating to individuals, based on automated processing, which will provide legal effects concerning the individual or will similarly significantly affect the individual
      • Processing consists of large scale processing of special categories of data under Article 9(1) or Article 9a
      • Processing consists of a systematic monitoring of a publicly accessible area on a large scale
      • Processing consists of a processing operation of a type specified by supervisory authorities
    • Failure to produce a DPIA meeting the minimum requirements of Article 33(3)
    • Failure to engage, where appropriate, representatives of data subjects in the execution of Privacy Impact Assessments.

(The two exceptions here are where the Supervisory Authority has determined in a public list that the processing does not require an impact assessment, or where the impact assessment has been conducted as part of the legislative process for EU or Member State law regulating the specific processing operation(s) in question.)

  • Article 34 (Prior Consultation)
    • Failure to consult the relevant supervisory authority prior to processing personal data where impact assessment indicates a high risk in the absence of mitigating measures by the Controller.
    • Failure to provide supervisory authority with required information under Article 34
  • Article 35 (Designation of DPO)
    • ​Failure to appoint a DPO by a public authority or body (except Courts in their judicial capacity), or by organisations engaged in large scale systematic monitoring of data subjects, or organisations processing on a large scale special categories of data (Article 9 and Article 9a).
    • Failure to appoint a DPO with knowledge and ability to execute tasks under Article 37
  • Article 36 (Position of DPO)
    • ​Failure on part of controller or processor to involve DPO in a timely manner in issues relating to processing of personal data
    • Failure on part of controller/processor to support DPO in performance of tasks through provision of resources, access to processing operations and data, and maintenance of expert knowledge.
    • Failure to ensure DPO operates independently in the conduct of their DPO function.
    • Dismissal or penalisation of a DPO for performance of their Data Protection related tasks (Article 37 tasks)
    • Failure to implement reporting structures that have DPO reporting to highest management level.
  • Article 37 (Tasks of DPO)
    • ​Failure on the part of an organisation to permit DPO to execute tasks as set out in Article 37
    • Failure on the part of the organisation to support DPO in awareness raising and training of staff
    • Failure on the part of the organisation to support DPO in conduct of internal audits
  • Article 38a and Article 39/39 (Monitoring of Codes of Conduct, Certification)
    • ​Failure to comply with obligations required by a Certification body (Article 39) or a body monitoring compliance with an approved code of conduct (Article 38a).

So, at the lower end of the scale, the number of potential offences and penalties that will exist under the GDPR is significantly greater than under Directive 95/46/EC and the current Data Protection Acts.

The 4% Offences

At the upper end of the scale, there are a small number of provisions that carry the 4% of Global Turnover or €20,000,000 (which ever is greater) penalty. But these tend to be more closely related to the fundamental rights and freedoms that the Regulation must protect (the 2% Offences are largely “functional” in focus

  • Principles of Data Protection (Article 5)
    • Failure to comply with any of the six core principles will consitute an offence.
    • Failure on the part of a Data Controller to demonstrate compliance with the six principles will constitute an offence.
  • Lawfulness of processing (Article 6)
    • Processing of data without at least one of the lawful processing conditions outlined being applicable will constitute an offence.
    • Processing of data for secondary purposes, without either consent or a necessary and proportionate legal basis, will require a determination of compatibility to be made [recommendation: PIA triage required!!]
  • Conditions for Consent (Article 7)
    • ​Failure to demonstrate that consent has been given by the data subject for processing (specific and unambiguous consent, evidenced by a positive action)
    • Failure to present request for consent in a manner which is distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language
    • Failure to provide a mechanism by which data subject can withdraw consent
    • Failure to notify Data Subject of right to withdraw consent
    • Failure to obtain freely given consent (e.g. by linking consent to an unrelated contractual obligation).
  • Processing special categories of personal data (article 9)
    • ​Processing special categories of Personal Data without explicit consent or another specific lawful processing condition.
  • Rights of the Data Subject (articles 12-20)

Essentially, Article 12 creates the ‘envelope’ for offences relating to Data Subject Rights.

  • Art. 12(1): Failing to take appropriate measures to provide information referred to in Article 14 (Information to be provided when data are collected from data subject), Article 14a (Information to be provided where data have not been obtained from the Data Subject), and in relation to Article 15-20 in a manner which is concise, intelligible, transparent, and easily accessible, using clear and plain language, especially where addressed specifically to children.
  • Art 12(1a): Failure to provide Data Subject with a mechanism to exercise their rights in Articles 15-20, including where the Data Controller does not actually hold identifiable data (requirement is to have a communication path back to inform DS that no identifiable data is held, as per Article 10(2) – failure to do so is also a 2% offence).
  • Article 12(2): Failure to respond to a Data Subject Rights request within one month of receipt of the request.
  • Article 12(2): Failure to provide information in electronic format where it is requested electronically and no alternative is requested by the Data Subject.
  • Article 12(3) Failure to notify Data Subject within one month of receipt of a request of reasons for not complying and their rights to appeal.
  • Article 12(4): Levying any fee for provision of inforkation under Articles 14 and 14a and for actions taken under Article 15-20 and Article 32, except where it can be shown by the Data Controller that the requests are manifestly unfounded or excessive, in which case a reasonable fee may be charged to cover administrative costs incurred or costs of taking action requested.
  • Transfer of personal data to third countries (article 40-44)

​​Probably even more important given the scrutiny of crossborder transfer to the US since the Schrems case, the GDPR places transfer of data to 3rd countries into the 4% Offence category. All provisions of Articles 41-44 must now be read in conjunction with the CJEU ruling in Schrems

It is an offence under GDPR to transfer data to a 3rd country unless

  • Article 41: Adequacy decision from EU Commission, taking into account rule of law allowing for effective and enforceable data subject rights, the existence and effective functioning of an independent Regulatory Authority, international commitments entered into.
  • Article 42: Transfers by way of Appropriate Safeguard:
    • A legally binding and enforceable agreement between Public Bodies
    • Binding Corporate Rules (Article 43)
    • standard model clauses adopted by the EU Commission
    • standard model clauses adopted by a supervisory authority and approved by the Commission (note: this might clash with Schrems’ case insitence on independence of DPAs).
    • An approved code of conduct, with enforceable commitments against controller or processor in 3rd countries
    • An approved Certification mechanism under Article 39
  • Article 44: Specific Derogations
    • A range of specific derogations are set out that are broadly similar to the current Directive
  • Powers of the Supervisory Authority (article 53)

This is broadly similar to the current Directive and our existing Data Protection Acts.

  • Failure by a Controller or Processor, or their representative, to provide information on request to a supervisory authority required for the performance of their tasks.
  • Failure by a Controller or Processor to provide access to all personal data or information necessary for performance of supervisory authority tasks
  • Failure to allow access to premises, including any data processing equipment.
  • Failure to comply with an order to comply with a data subject’s requests re: rights under the Regulation
  • Failure to comply with an order to bring processing in to compliance in a specified manner and in a specified period.
  • Failure to comply with an order to communicate a personal data breach to Data Subjects
  • Failure to comply with a prohibition on processing
  • Failure to comply with an order to rectify, restrict, or erase data and to notify 3rd parties of such actions
  • Failure of a Certifying Body to comply with an order to cease issuing certifications
  • Failure to comply with an order to cease transfers of data to 3rd countries or an international organisation

The Upshot

The GDPR contains a significant number of additional potential offences compared to our existing Data Protection legislation, with substantially increased penalties. Liability for penalties can be mitigated through effective Information Governance and Information Quality metrics.

By implementing controls such as the conduct of impact assessments on processing, requiring the documentation of key processes and process flows, and appropriate data classification and retention schedules (all things that are either required or are ‘good practice’ under current rules), organisations can significantly reduce their risk of breach and their risk of material penalties. They will also benefit from improved quality of data, reduced waste in time reviewing and rechecking data and correcting data, and an improved ability to respond to changes in technology or regulation that might affect their risk assessment or their ability to continue with their current business model.


Related Insights

Newsletter

Keep up to date with all our latest insights, podcast, training sessions, and webinars.