The GDPR clock has struck. This is the beginning of the tide of regulations that will sweep over EU data, and no one really wants to be on the wrong side of the regulations. Entities that have prepared themselves to be compliant can now carry on with their routine processes, with the assurance of having taken the correct initiative. Entities that have been left behind, either due to compulsions or improper implementation, the lack of compliance bodes ill for their future. If you represent an organisation (even all accounting and bookkeeping services) that is non compliant, here is what you need to know about possible punitive action or implications.
Overview of GDPR regulations
- Any entity that collects or processes EU data, directly or through third parties need to comply
- Two tiers of penalties apply – technical violations and breach of principle processes
- Punitive actions include reprimands, warnings, data processing bans
- Businesses face the prospect of fines, liabilities arising out of damages, and loss of revenue due to reputational damage.
This is just the operational aspect of GDPR regulations, which involve different processes and procedures that need to be followed in the case of eventualities. The regulations mandate the need for a set of well defined processes, an SOP that needs to be diligently followed as a matter of routine and during incidents. While all these aspects are technical in nature, for an accountant the implications in terms of penalties arising out of breaches will be more relevant. Here is a look at the two different tiers of breaches that invite different penalties.
The two different tiers of penalties
Tier – 1 : Non compliance with technical measures of the GDPR Act
The lesser of the two tiers of penalties in the GDPR Act are lapses in implementing the right technical measures. The maximum fines that can be levied in this tier are € 10 million or 2% of annual turnover of the organisation, whichever is higher. Bear in mind that it is the turnover that will be considered and not the profit. This effectively means that an organisation that gets the ‘maximum’ rap for a breach will be looking at a minimum of € 10 million as penalties and in case the turnover of the organisation exceeds € 500 million, the fined amount will be higher than € 10 million. The fine amount is staggering by all indications. Though intended as a deterrent, there is no guarantee that the clauses will not be invoked under certain circumstances. In addition to the fines that are levied, there is the ensuing loss of reputation, and irreparable damage to business. In addition, depending on the nature of the breach, if many entities have been affected as a result of the incident, possible legal remedy may be pursued by the affected parties and this could deal crippling blows to an already beleaguered organisation.
Tier – 2 : Breach of rights or freedom of data subjects; non compliance with main principles of the Act
The stiffer of the two penalties, this relates to violations or breaches that affect the rights and the freedom of the data subjects. It is basically read as a violation of the main principles behind the GDPR Act. It calls for the levy of fines to the tune of € 20 million or 4% of annual turnover of the organisation, whichever is higher. Here again, it is the turnover that will be considered and not the profit. The doubling of percentage of fine and the clause of ‘whichever is higher’ effectively means that an organisation that records a turnover of less than € 500 million will be poorer by upto € 20 million, and in the case of organisations with a turnover that exceeds € 500 million, the penalties will be a lot higher. Tier 2 of the fines may actually find greater invoking of the relevant clauses, because it involves the breach of rights of subjects. This means that a tier 2 breach may have resulted in the violation of privacy laws leaving affected entities. And organisations will face increased chances being levied the fine because of the affected entities. Here again, a loss of reputation and exercise of possible legal options from the affected parties cannot be ruled out.
Procedure followed for assessment of penalties
While the interpretation of the tiers of penalties will not differ, the extent of fines within each tier will be determined by many factors including the following :
- The nature of data that was breached
- Past instances of similar breaches in the organisation
- The underlying reasons for the breach – negligence or deliberate actions
- The compliance with certifications of data protection
- Whether notification procedures were followed after the breach
- Extent of cooperation with authorities, during and after the breach
- Attempts by entity to mitigate effects of the breach
- Extent of damage caused by the incident(s)
- Whether intimation/information was shared with affected entities
- Security Audit/Preventive measures in place to avoid the occurrence of breaches
- The presence of any mitigating conditions in the breach that lessen the onus of responsibility on the entity
Implications of data processing ban
Apart from the fines and other legal remedies, of particular interest will be the ban on data processing that the GPR Act may impose on entities. The Act calls for the imposition of either a temporary or a permanent ban on data processing on the entities involved. Regardless of the nature of the ban, i.e temporary or permanent, a ban by itself can sink an organisation. In a data driven world, the inability to process data can send an organisation packing into the wilderness for a long period. A permanent ban will signal the end of the business. And no organisation will want to find itself in such a situation. For instance, a temporary ban of even one month can drive clients away. After all, no client would want to wait for one month to resume their operations because of an infringement by an operator/processor. This means that entities will have to contend with multiple issues of fines, possible legal action and a ban. It is true that all the administrative fines and possibilities of bans are more deterrent in nature and may not be imposed without a proper application of the relevant laws and a thorough investigation. But, finding one’s company in the dock may itself be cause for worry, and winning the trust of clients will be tougher than acquiring new clients.
All accounting and bookkeeping services are at risk of getting banned if they are not GDPR compliant. Providing work to an outsourced accounting firm like Outbooks can help accounting and bookkeeping companies in the UK get work done all the while staying compliant.
Comparison with ICO fines
On a purely hypothetical level, a comparison between fines of the past that have been levied by the ICO, the national data protection authority of the UK and the proportionate fines that would have been levied if GDPR had been in place are cause for alarm. The comparison statistics show that if the fines levied under the ICO regime, were to be levied under the GDPR, it would be almost 38 times in value. To put this into perspective, it means that if an entity had been fined an amount of £ 50000 under the ICO, the same entity would have been fined £ 1.9 million under the GDPR. The difference is staggering, it can sink a company into oblivion.
Compliance with GDPR is not a choice, but a means to remain in business for companies that deal with EU data. One of the advantages of being GDPR compliant is the fact that this does not require staggering expenses. It does involve expenses, but more importantly, it demands processes to be changed. The improved security will certainly make the business more secure. In an era where intrusions and incidents are too frequent, it makes it all the more important to have measures in place that will pre-empt and mitigate the same.