Group Fines Under the GDPR

How Multinational Companies May be Affected by Their Subsidiaries’ Noncompliance

Introduction

— by Lindsey Ullian, Threat Stack Compliance Manager

Preparing for GDPR was similar to preparing for Y2K — heads down grinding with anxiety running high, only to find that May 25th came and went without a peep. So what was all that hard work and worry for, anyway? What drove all the privacy emails and data inventorying within companies? In all honesty, it was most likely driven by the high consequences that a company might suffer as a result of noncompliance. But just because your company is now “GDPR ready,” does that mean you’re safe from heavy fines?

Not necessarily. The noncompliance of other companies just might make you vulnerable.

In this post, Kevin Kish, Privacy Technical Lead with Schellman & Company, explains how you may be affected by your subsidiaries’ noncompliance and how you can manage the risk.

---

“Up to 4 % of an undertaking’s global worldwide annual turnover for the preceding fiscal year”

This is arguably the single most powerful (and certainly the most frightening) statement from the GDPR. The heavy consequences of noncompliance with the recently enacted regulation was most likely the catalyst that propelled many organizations’ readiness review for GDPR. At a high level, one may assume that you can compute your risk exposure simply by multiplying (.04 x Gross Annual Revenue).

But it is not always that easy! This formula applies to organizations that are part of a single “undertaking” as defined by the regulation. For organizations that are not considered a single undertaking, the total exposure may be more difficult to calculate since the annual revenue totals may be part of a larger group of enterprises. This aspect of GDPR raises a number of critical questions, including the following:

• What is an “undertaking”?
• How do I know whether I am a single undertaking?
• If I am not a single undertaking, how do I compute my potential risk of noncompliance?
• Is a fine inevitable, or could I receive a lesser penalty?

Definition of Undertaking

Let’s clarify what an “undertaking” means for you and your business. Unfortunately, if you are hoping to find a clear description within the GDPR, you will need to do some extrapolation of your own to come to a conclusion. We have researched this topic from a variety of sources to pull our definition.

According to the Court of Justice of the European Union (CJEU), the concept of an undertaking:

“encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed.”

Simply put, if you are a small, independent company with no subsidiaries or affiliated companies, you are likely to be classified as a single undertaking according to the Regulation. Easy! But remember: There are many cases in which added factors will complicate the situation — in particular, where multi-structured companies exist (i.e., parent/subsidiary relationships).

“Undertaking” defines one company, right? Think again.

The GDPR does provide some guidance on how an “undertaking” should be understood, and that is in accordance with Articles 101 and 102 in the Treaty on the Functioning of the European Union (TFEU for short). In general (and abbreviated), the articles state:

“An undertaking is a group of enterprises who are engaged in a joint economic activity to be part of the same undertaking.”

Group of undertakings. What does that mean? To provide some insight to this, let’s look to Recital (37) of the Regulation where we can begin to draw key characteristics of a “group of undertakings.” Specifically:

“A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.”

Key characteristics of a controlling undertaking of a group of undertakings are:

• Ownership
• Financial participation
• Control over data protection rule implementation

Can I just be reprimanded (and not receive a fine)?

A reprimand may be issued instead of a fine where the fine would constitute a disproportionate burden to a natural person; where the breach is a minor infringement; and where the infringer adheres to a code of conduct, and the regulator considers that enforcement under the code will be sufficiently effective or proportionate.

These guidances place subjectivity and, arguably, considerable discretion in the hands of the regulators. Regulators should assess the weight of the fine by evaluating the nature, gravity, and duration of the infringement. This includes factors such as the level of damage suffered by individuals, purpose of the processing, and number of people affected. Also important to note is that by reacting properly, you can mitigate your fine. Receiving the strictest fine is not a mandate — mitigating the impact on individuals by preventing the breach from expanding or continuing, for example, may lessen the fine.

Wrapping up: Who’s really at stake here?

Since we are not quite sure about how the GDPR fines will be applied or how they will view multi-structured organizations with parent/subsidiary relationships, it would be a good time to determine the precise level of control and influence parent companies exercise over their subsidiaries — and, to conclude whether personal data is shared amongst the joint entities.

Something to consider: The GDPR recognizes that an undertaking may be a group of undertakings engaging in joint economic activity (as stated earlier) — and fines to an undertaking are subject up to 20,000,000 EUR or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

With this level of risk, it is definitely worth being involved in your subsidiaries’ compliance efforts to be prepared for May 2018 and beyond!

For Additional Information . . .

For additional information and guidance on the GDPR, feel free to download the following ebooks prepared by Schellman & Company:

• GDPR: What it Means for US-Based Companies
• Understanding and Demonstrating Alignment With the GDPR

We also invite you to:

• See how Threat Stack’s Cloud Security Platform^® addresses GDPR compliance obligations

About Schellman & Company, LLC.

Schellman & Company, LLC is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Quali­fied Security Assessor, an ISO Certifi­cation Body, HITRUST Assessor, and a FedRAMP 3PAO. We are a trusted provider to the world’s leading companies, from the Fortune 1000 and publicly traded companies, to privately held entities of all sizes. Our service delivery model allows for optimum quality and client experience for organizations of every size and complexity. We are setting the pace and blazing new trails. We are the only company in the world capable of providing our clients the rare opportunity to achieve multiple compliance objectives through a single independent assessor — using experienced teams dedicated to delivering the highest quality.

*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Kevin Kish. Read the original post at: https://www.threatstack.com/blog/group-fines-under-the-gdpr