The unintended GDPR consequences – white lies
A massive increase in fines incentivises Data Protection Officers to ‘misremember’
Regulations are meant to change behaviour. New norms, like no liquids on aircraft and compulsory seatbelts, sometimes have unforeseen effects. Who would have thought the great British pub, an institution of hundreds of years, would be threatened by the UK’s smoking ban? Or that thousands of pounds of cosmetics would go from airports to landfill every day?
Since 25th May, the EU’s wide-ranging data regulation, the General Data Protection Regulation (GDPR) has brought heavy penalties for those unable to deal with data breaches rapidly and transparently. However, until there are some legal precedents set, those unfortunate data guardians which the regulation demands, Data Protection Officers or DPOs, face a moral dilemma. They can either exaggerate their incompetence or incur larger fines for their employers.
Under GDPR, breaches need to be reported to customers and regulators, fast – within 72 hours of discovery. However, breaches which occurred before the deadline, are likely to result in lighter fines, especially for larger companies. For example, the largest fine ever levied by the UK’s Information Commissioner’s Office, on both Dixons Car phone and an unknown, now bankrupt, nuisance call company, is £400,000, or about two years’ salary for an average Facebooker.
Large as these fines are, for larger firms it beats paying up to 4% of global turnover under GDPR. Some have calculated a breach could cost Dixons Carphone up to £59m, a lot m roe than £400,000! These big differences may end up with some bizarre behaviour for organisations turning over more than £10m who admit to a breach. Not at Dixons Carphone, which has impeccable data ethics, but perhaps elsewhere.
Why would the DPO of a larger UK company turning over a billion, as many in the FTSE do, admit to a post-25th May breach which could mean a €4m fine, when precedent indicates the maximum fine would be just 1% of that, or £400,000 if the breach occurred pre-GDPR?
This is the moral dilemma facing DPOs. They are legally responsible to the regulators for data integrity and yet their salaries are paid by their employers, who obviously want to keep regulatory costs to a minimum.
There is also brand reputation to consider. Previously, it may have appeared negligent to discover an exploit many years after the first breach. Now it could ‘make business sense’ to be vague on dates. For the unscrupulous, it may even be financially prudent to link the issues of today with the breaches of yesteryear. After all, the resources of those investigating are known to be limited.
We, EU citizens, supposedly benefit from new data protection laws. In reality, we rely on the honesty of some professionals who may have conflicted loyalties. Let’s see what view data regulators take of Europe’s data professionals with ‘fuzzy’ memories.