Updated: Apr 25
The General Data Protection Regulation (GDPR) is the most stringent set of privacy and security regulations in the world. Introduced in May, 2018, the GDPR outlies the obligations of organizations that target or collect data related to citizens of the EU. In an effort to force compliance, the GDPR levies harsh penalties against organizations that violate its strict privacy and security standards. Depending on the extent of the violation, the penalties can reach tens of millions of euros.
An Overview of the GDPR
The GDPR provides a set of rules to outline the ways in which companies must process the personal data of EU citizens. The regulation sets forth organizational responsibilities to preserve the privacy and protection of personal data. In addition, the GDPR provides EU citizens with specific rights, and grants powers to regulators to request proof of adherence. It imposes fines in those cases where an organization is outside of compliance with requirements.
Who Does the GDPR Impact?
Any organization that collects and accepts personal information from any EU citizen is bound by the rules of the GDPR, regardless of that organization’s location. If the organization has an online presence in the form of a website and collects personal data from EU citizens, it is subject to the requirements of the GDPR. Essentially, this means the GDPR applies to all public-facing companies.
Achieving and Maintaining GDPR Compliance
Some of the key privacy and data protection requirements of the GDPR include:
Obtaining the consent of subjects for data processing
Making collected data anonymous in order to protect the data subject’s privacy
Providing notifications in the event of data breaches
Safely managing data transfers across borders
Requiring (for certain companies) the appointment a Data Protection Officer (DPO) to oversee and ensure GDPR compliance
GDPR Penalties for Non-Compliance
Failure to comply with the GDPR can lead to significant penalties, primarily the levying of fines. These fines can range from relatively small to very expensive, depending on the nature and extent of the infraction. The total amount is influenced by ten separate criteria:
Intention: Determining whether the breach was intentional or the result of negligence
Mitigation: An examination of the actions (if any) that were taken to minimize the damage
Preventative measures: A review of the organizational and technical steps that had been in place to help ensure compliance
Nature of infringement: Determining the number of people affected by the breach and the damages that were suffered as a result
History: A review of any infringements that have occurred in the past for this organization and whether they are relevant to the current breach
Cooperation: Assessing the degree in which the company is willing to cooperate to remedy the breach
Data Type: The type of data impacted by the breach
Notification: Determining whether the infringement was reported to the proper authorities in a timely manner
Certification: A review of whether the company has previously authorized certifications to and adherence to regulations
Other: Determining whether they are any other factors to consider
Depending on the findings of the above, there are two levels of fines that can be imposed to the company:
2% of the organization’s yearly global turnover, or approximately $12 million USD (the greater of the two)
4% of the organization’s yearly global turnover, or approximately $24 million USD (the greater of the two)
eLearning for GDPR Employee Training
LMS Portals provides a powerful, branded eLearning platform for online GDPR training activities. The system allows our clients and partners to easily build and deliver GDPR training content and courses and includes robust supporting tools for user onboarding, messaging, knowledge management, analytics, and more.
Contact us today to get started for free!