GDPR fines  —  why everyone should forget about them

 Focus on the individual, not on the fines.

Focus on the individual, not on the fines.

GDPR – A new law that isn’t actually new….

The European General Data Protection Regulation, more famously known for the abbreviation GDPR, will enter into force on May 25th this year. GDPR was enacted by the EU legislator with the aim, among other things, of enhancing current EU privacy laws. Its main purpose is to raise the bar on the visibility and control individual people should have over their own personal data.

With less than 100 days left until “day 1” social media and the public sphere are full of discussion and advice around how to comply with GDPR. Trying make sense out of the flood of information can certainly feel confusing. And it definitely doesn’t help that text of the GDPR itself is filled with a lots and lots of vague and complex requirements.

Surprisingly, what often goes unsaid is that most of the fundamental principles, such as the requirements on consent, transparency, data deletion (also known as the “right to be forgotten”) or data access rights, have actually all been a part of the European privacy laws for nearly two decades.


… but it does introduce the fines

So, if the European laws have always provided for the same rights to individuals as GDPR does, then why are we all talking about these things as if they were completely new? Well, it really boils down to administrative fines. Because under GDPR a supervisory data protection authority will have the right to impose fines on companies who breach their obligations under GDPR. And these fines may be as high as 20 million euros or 4% of the breaching company’s and its affiliate companies’ combined global turnover, whichever results in a higher sum. Most of European member states have not had fines like these in their laws.

No one really knows how to be completely protected from the fines

With the looming threat of fines GDPR compliance may very well begin to feel discouraging and daunting. And not least because of the principle of “accountability”, which essentially means that companies have to be able to demonstrate that they comply with GDPR. But with all the vagueness that comes with the different requirements, some have already jokingly called this the “prove that your not guilty” rule. Because there's no clear line to cross.

So how can one claim to be accountable against something that can't be defined in binary terms? Well, you simply need to take risks. Throughout GDPR, companies are in fact encouraged to implement protective measures corresponding to the level of risk of their own data processing activities. This idea of a risk-based approach means that companies are pushed to set their own bars for compliance. And if your aim is to be surely protected against any possibility of the fines, a journey to “full compliance” might just become and endless task, because there’s always room for raising the bar.

One study reveals that big corporations have a mean privacy spending amounting to tens of millions of dollars. And even with these numbers the privacy professionals working for those companies feel their budgets are not enough to do the job. Why? Because from a compliance perspective, one can never be sure of what is enough.

So, could there be another way to make sense out of GDPR compliance?

Focus on the individual, not on the fines

So far we haven’t really talked about the individual people, or as GDPR calls them, the data subjects — whether they are your customers, your employees, or any other individuals whose personal data you collect and use.

Instead of focusing on the daunting and possibly never ending race to avoid fines, wouldn’t it make sense to shift focus from fines and authorities to serving data subjects the rights that both the current European privacy laws and GDPR set forth?

After all, the best possible way to avoid fines might just be to keep your data subjects happy. Because the more happy your data subjects are, the less likely they are to bring complaints to an authority. And the fewer complaints an authority receives, the smaller the likelihood there is for an authority to launch an investigation. And with diminishing likelihood of investigations, the probability of fines becomes significantly smaller.

Once you shift focus from avoiding fines to serving the individual, the task suddenly becomes a lot clearer and easier to prioritize. Ultimately, a data subject enjoys four fundamental rights under GDPR:

  1. right to transparency, meaning the right to receive clear and concise information about how personal data is being collected and used;
  2. right to consent to or object the collection and use of personal data;
  3. right to access one’s own personal data, get a copy of that data and the right have the data transferred directly from one data controller to another; and
  4. right to be forgotten, meaning right to have their data deleted when it is no longer necessary for the purpose it was originally collected for.

If you are able to deliver these four rights to the individuals in a meaningful manner, chances are that all the other requirements under GDPR will start falling in place.

At Portyr, we’re building technology that looks forward to solving GDPR by providing companies sensible ways to take meaningful and effective steps towards complying with GDPR. Because at the end of the day GDPR is not about the fines but about giving people visibility and control over their own data.

So, again, keep your data subjects informed and satisfied, and you yourself will be more effective in your GDPR efforts.

In the following blog series, Portyr introduces distinct perspectives and concrete approaches on how to tackle the challenge of GDPR compliance by eating the elephant in pieces.

This blog series is contributed by Otto Markkanen, a long time privacy and technology lawyer and co-founder of Portyr.