The General Data Protection Regulation (GDPR) is expected to be finalised either late next month, or early in Q1 2016. One of the more contentious aspects of this legislation is the new fine regime, enforceable when an organisation is found to be in breach of the legislation. How effective are these fines going to be?
Firstly, lets recap on what the fines will be:
1. Up to €100,000,000
2. Up to 5% of annual global turnover
In anyone's definition, there is a major increase in financial penalties, under the GDPR.
The first impression one must take is that the financial amounts is extremely high, indicating that the primary target here is large multi-nationals, with deep coffers and the necessary contingency plans. It most certainly cannot be argued that these types of fines have been devised for small and medium businesses.
Enforcing enterprise scale financial fines on smaller businesses seems inherently unfair and if anything will likely negatively impact on commercial decision making involving personal data, in that market.
Considering as well that the scale of data breaches in the SME market is a fraction of those that occur in the Enterprise space, further adds to the sense of injustice. Surely, more modest penalties can be devised which can still achieve the necessary balance of carrot and stick.
In addition, the fines proposed for the GDPR must also be seen within the contrasting light of the Digital Single Market initiative within the EU. This involves a series of changes to national and pan-national laws and procedures, to enable more seamless flow of digital data and projects across borders, all designed to make Europe more attractive to innovation and progress involving technology.
Clearly the penalties proposed in the GDPR present clear financial risks and inhibit, rather than promote, adoption of this single market initiative.
My personal opinion is that these penalties will receive more sanitisation over the coming months, and will be re-gauged to reflect fairer penalties on smaller organisations.