If a security vendor has ever told you that the GDPR is imposing fines of up to 4% of annual global revenue for data breaches, they are either:
ignorant of the standard; and/or lying.Being generous, they may notactually know they are lying, the General Data Protection Regulation (GDPR) is not exactly easy to decipher, but even a cursory review tells a very different story. I will therefore attempt to address the following assumptions in the course of this blog:
The GDPR is 95% related to the RIGHT to privacy, not the LOSS of privacy through data breach;o The maximum fines for ANY organisation are 2% of ‘annual turnover’for even the most egregious loss of data through breach, not 4%;
o Fines are entirely discretionary, and an appropriate security program will significantly reduce any fines levied; and
o There is nothing in the GDPR with regard cybersecurity that is new, or in any way beyond what you should have in place anyway There are 2 Types of Privacy?
Ask a lawyer in the EU what privacy is and s/he’ll likely quote Article 12 of the Universal Declaration of Human Rights : “ No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. ”
From a GDPR perspective, this equates to two of its three fundamental aspects. Grossly simplified these are:
Explicit consent; and Legitimate use.In other words, the vast majority of the GDPR is concerned with obtaining explicit consent for the personal collected, and then ONLY using that data for legitimate purposes in-line with the consent received.
Even when GDPR refers to ‘security’, it is more concerned with these two fundamentals than it is with security of the data itself. That is what they mean by “ security of processing “.
However, from a cybersecurity professional’s perspective and the third fundamental aspect of the GDPR privacy is a matter of loss. The data was stolen during a breach, or somehow manipulated towards nefarious ends. This is a very important part of the GDPR, Hell, it’s a very important part of being in business, but it should never be used to sell you something you don’t need.
Maximum fines?From my review, it can be assumed that if the maximum fine for ANY data breach, no matter how egregious, is 2% of the annual revenue from the previous year (in the case of an undertaking), that 2% is what each supervisory authority considers the maximum for a fine to qualify as “effective, proportionate and dissuasive”. Therefore, a fine of 10,000,000 would be reserved for any organisation with revenue over 500,000,000 annually.