The EU GDPR is a legal set of rules that must be adhered to by any business that processes personal information. Process is defined as harvesting, storing or making use of such information.
The EU GDPR provides a coherent personal data privacy law across all EU member states. It aims to prevent security breaches and the loss of personal data by organisations that hold and process PII. It affects any organization that offers goods and services – even free ones – or monitors the behavior of EU citizens. The penalties of breaking the regulation can be financially extreme and significantly detrimental. The live date was the 25th May 2018.
WHAT YOUR BUSINESS NEEDS TO DO
The GDPR will significantly impact a business’s approach to data privacy compliance. You should by now be well under way to ensuring you are GDPR compliant and capable of providing documentary evidence of your risk management processes and their effectiveness. Furthermore, you have to be able to demonstrate continuous compliance. Such a framework must include governance practices, communication processes and risk controls for maintaining compliance.
Administrative fines will be levied by the Supervisory Authorities. A breaching organisation may also be sued by Data Subjects individually, or via Class Action.
Administrative fines will be “effective, proportionate and dissuasive”. A two-tier sanctions regime will apply in accordance with breach of specific Articles. Up to €20M or 4% of the company’s global annual turnover for the preceding year, whichever is greater for tier one and €10M or 2% of the global annual turnover for the preceding year, whichever is greater for tier two.
Fines from the Information Commissioner’s Office (ICO) against British companies last year were £880.5K. If GDPR had been applied, the fines would have reached £69M.