The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. Although the European Union (EU) established the regulation, its reach extends across the globe. Any company that maintains personally identifiable information of EU citizens must comply or else risk significant GDPR fines.

If a data breach involving personally identifiable information of EU citizens occurs, the affected organization must report the breach within 72 hours to the Supervisory Authority (SA), which will then engage. As defined by Article 58, the SA holds the power to investigate, enforce corrective measures, and advise organizations in relation to compliance. This means that the SA will look into the facts of the matter, define the amount of any potential GDPR fines, and lay out recommendations for corrective actions. Below is a sample list representing some of the powers held by the SA.

Investigative Powers

Supervisory Authority Powers

During an investigation, the SA can:

  • Order the data controller and/or the data processor to provide any requested information or documentation
  • Perform data protection audits
  • Review of compliance certifications issued
  • Notify the data controller or data processor of alleged regulatory infringements
  • Request access to all personal data and information they require
  • Gain access to any location or data processing equipment of either the data controller or the data processor

Advisory Powers

While engaging with data controllers and data processors, the SA holds the advisory powers to:

  • Provide guidance pertaining to data impact assessments indicating that data processing would result in a high risk
  • Deliver opinions to parliament, national, or state governments with respect to any issues related to the protection of personal data
  • Issue certificates and approve criteria of certification
  • Authorize data processing, if a member state’s law requires authorization

Corrective Powers

Dependent upon the finding of the investigation, the SA has the right to:

  • Issue warnings to data controllers or data processors if it is deemed their processing operations are likely to fall short of compliance
  • Reprimand data controllers or data processors if they have infringed upon provisions of GDPR
  • Order the controller or processor to comply with a data subject’s requests (per their rights under GDPR)
  • Require specific actions be taken within a given time frame in order to bring an organization into compliance
  • Order a controller to notify a data breach to the data subject
  • Temporarily or permanently stop an organization from being able to continue data processing, or from sending that data outside of a given country
  • Withdraw a previously awarded certification, or demand the certification body not to issue certification
  • Impose administrative fines

Conditions the SA Considers While Determining GDPR Fines

Article 83 defines the general conditions and powers the SA has to impose administrative fines:

  • Impose fines in each individual case with the intent that they are effective, proportionate, and dissuasive
  • Consider the following circumstances when determining whether a fine is appropriate, and if so, how much it should be:
    • The nature, gravity and duration of the infringement
    • The degree of intention and/or neglect
    • The actions of the data controller to mitigate the damage
    • The technical and/or organizational measures taken to achieve compliance
    • Whether any prior infringements have occurred, and if so, were they of a similar nature
    • The degree of cooperation to remedy the infringement and mitigate its damage
    • The type of personal data lost
    • The timeliness of breach notification
    • The use of best practices by the data controller or data processor
    • The motive of the infringement, and whether the infringement delivered monetary gain
    • Whether any previous Supervisory Authority’s orders were followed/ignored
  • Impose fines up to 20,000,000.00 EUR, or 4% of a company’s total annual turnover (gross revenue) of the preceding year, whichever is higher

Summary

Once the regulation goes live on May 25, 2018, the Supervisory Authority will determine the monetary value of any GDPR fines levied in the event of a data breach, including personally identifiable information of EU citizens’ data. The guidelines, as defined by the regulation, provide the SA with discretion as to the disciplinary actions it can take against offending data processing organizations, however many industry experts expect the SA to come down hard on any early cases that come before them. 20,000,000.00 EUR (or 4% percent of global annual turnover) could be a significant impact to the bottom line, but even greater is the risk to brand reputation. Early breaches will receive unprecedented coverage from the global news media.

Use your network as a sensor

For more information on GDPR, take a look at my previous blog: Three GDPR Requirements That Will Have a Big Impact on Your Organization. In it, I wrote how effective incident response platforms like Scrutinizer will be critically important to meeting the 72-hour notification requirement. Not only will Scrutinizer help you know what happened and provide you the historical forensic data you need, but it will also lead to quick mitigation of the damage, which is a key criteria used by the SA when determining the amount of GDPR fines.

Bob Noel

Bob Noel

Bob Noel is Director of Strategic Partnerships and Marketing at Plixer. Noel has over 20 years’ experience in networking and security technologies, having spent time in senior roles with industry leaders such as Cisco, Cabletron, Extreme Networks, and Plixer. Noel is an international speaker, highly sought for his knowledge of network architectures and security, next generation data centers and virtualization, and the emerging dynamics of Software Defined Networking. His background expands sales, systems engineering, training, technology alliance, and marketing leadership positions. Noel is currently located at Plixer’s headquarters in Kennebunk, ME.

Related