The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. The regulation shook the world of commerce, bringing organizations across the globe into line with modern expectations of personal data protection and privacy.
In the run-up to the enactment of the regulation, there was much talk of the large fines associated with non-compliance. Let’s have a look at what the situation is vis-a-vis GDPR fines a year on — were companies right to be worried?
The GDPR fine levels
Before beginning, here is a recap of what the two levels of GDPR fine are set at:
Level 1: Applied to data breaches and not implementing a Data Protection Impact Assessment (DPIA). This fine is set at 2% of annual global revenue or 10 million euros, whichever is higher.
To avoid a level 1 fine, the following are examples of where GDPR compliance must be met to avoid a fine:
- Ensuring that data protection “by design and by default” is performed (robust security measures)
- Keeping good records of data processing activities
- Demonstration of cooperation with the supervising authority (SA)
- Notification of a personal data breach to the SA
- Robust security when processing data
- Notifying the data subject of a personal data breach
- Performing a (DPIA)
- Designation, position or tasks of the Data Protection Officer, DPO (where applicable) (1)
Level 2: This level covers consent to process personal data (including consent for special categories). It also includes compliance with the eight data subject rights. This fine is set at 4% of annual global revenue or 20 million euros.
GDPR compliance: Where we are today
A year on, and according to Deloitte, only around 35% of organizations have achieved full compliance with the GDPR data breach notification process. This fact is exemplified in the European (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Susan Morrow. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/9TCv83ytC_s/