After the breach: counting the (regulatory) cost
February 25, 2019
There is, self-evidently, an enormous difference between a fine of £5,000 and a fine of up to 4% of global turnover. The General Data Protection Regulation (the “GDPR”) empowers European Data Protection Authorities with the discretion to impose fines which are “effective, proportionate and dissuasive”. This discretion translates into fines of:
- Up to €20 million, or a maximum of 4% of annual turnover (whichever is greater), for severe breaches; or
- Up to €10 million, or 2% of annual turnover (whichever is greater), for less severe breaches.
Recent enforcement action in Europe has demonstrated that, in certain circumstances, European regulators are willing to issue very large fines (in one case, €50 million). But, given the scope of the regulators’ discretion, it can be hard to know what level of fine an organisation can expect. This blog looks at what factors the Information Commissioner's Office (the “ICO”) may consider when levying a fine, and therefore what steps organisations should take to mitigate these considerations.
What will the ICO consider?
At the time of writing, the ICO has published its draft Regulatory Action Policy (“the Policy”), which, subject to Parliamentary approval, sets out the criteria that the ICO will consider when deciding whether to impose a fine and, if so, the amount.
In a personal data breach context, much of the damage has already been done, and there might be little that the affected organisation can do to improve its factual position at that stage. For example, the Policy tells us that the ICO’s fine will generally be higher where vulnerable individuals are affected, or where advice, guidance, recommendations or warnings (including from a data protection officer or the ICO) have been ignored or not acted upon.
Most companies that discover a breach are therefore likely to pay close attention to those Policy factors that are in their control.
What should an affected organisation focus on?
There are a number of factors which relate to post-breach conduct that are within an affected organisation’s control, which can impact on the calculation of any fine. The Policy tells us that, among other things, the ICO will focus on the risk to rights and freedoms of individuals and the positive post-breach actions taken by an organisation to mitigate the impact on individuals. Those actions might include post-incident assistance which will be considered favourably by the ICO, as will a quick resolution of technical and security issues post-breach.
Cooperation goes a long way to set the tone of an ICO investigation. Being open and honest, providing clear and prompt information, and ensuring a constant dialogue with the ICO are all important. Nevertheless, an affected organisation can cooperate fully with an investigation while robustly defending its interests and position.