As a moderator of GDPR panels, I sometimes ask the audience what is the first thing which comes to mind when they come across the letters “GDPR”; every time it is the bloody fines.
There has been no particular focus on what the fines are actually for, or on the other remedies available to regulators. The impression has been given that organisations will be hit with a fine of 4% of their global turnover for any GDPR breach.
Perhaps this got board attention in the early days of GDPR marketing. The UK Information Commissioner’s Office did its best to calm down the misperceptions; one of its very good series of articles on “GDPR myths” emphasised both that there are alternative remedies and that its intention was a graded series of steps towards enforcement.
The Article 29 Data Protection Working Party has issued Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 aka the GDPR. These were adopted in October 2017 and have recently been issued in different language versions.
The Guidelines stress in the introduction that their aim is to express a “common understanding” of the enforcement part of the regulation and to encourage “the consistent approach to the imposition of the administrative fines”.
Section II stresses that “administrative fines should adequately respond to the nature, gravity and consequences of the breach” and that corrective measures should be “effective, proportionate and dissuasive”.
The point, it goes on (on page 7),
…is not to qualify the fines as last resort, not shy away from issuing fines, but on the other hand not to use them in such a way which would devalue their effectiveness as a tool.
The guidelines quote Recital 148 of the GDPR which is perhaps worth setting out in full here:
In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation.
In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.
Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.
The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process
The relevant criteria are set out in Part III of the Guidelines beginning on page 9. That section also makes it clear that while “specific infringements are not given a specific price tag”, different levels of penalty “are indicative of a relative lower degree of gravity”.
If you are in the business of assessing risk, perhaps in order to decide what resources to allocate to the reduction of that risk, it is not particularly helpful to approach the subject with the idea that every infringement will attract the same level of penalty. No part of the GDPR is optional, but the aim is to encourage attention towards the things which matter most, not (or not mainly) to the organisation itself but to those likely to be affected by its actions or lack of actions. Those who comply already with existing regulations (which are of some antiquity by now) have obviously have less of a mountain to climb.
We have seen growing maturity in most GDPR marketing, with a closer focus on what organisations should be doing now to become as compliant as possible with the new culture (and culture is what the GDPR aims to change). Many software and services providers have been offering relevant services for a long time without the GDPR tag, stressing the value of knowing what data exists and the importance of giving authority to a named and senior person to marshal corporate resources towards the identification and control of problem data. “Problem data” is not just data with personal information in it, but data which attracts the attention of other regulators, data which may hold unknown risks, data which may cause unnecessary expense down the line (e.g. in discovery), and data whose bulk obscures valuable information.
It may be important, of course, to mention that the GDPR brings risks of new purely financial penalties. The test of good marketing, however, is this: if you remove the reference to penalties, or describe the penalty regime in the graded manner set out in WP 253 (including non-financial enforcement actions), does the rest of your marketing offer something positive, actionable and achievable for the clients you seek to woo?