Some of the key changes set to be introduced by the GDPR include:
- increased scope – the GDPR will extend to all businesses processing the data of individuals who reside in the EU, regardless of the location of the business;
- breach notifications – any notification of a breach, where there is a risk that the rights and freedoms of an individual could become compromised, need to be reported within 72 hours;
- right to access – individuals will have the right to request and receive confirmation of the data held on them, how it is being processed and for what purpose;
- data portability – individuals will have the right to receive personal data that has previously been provided, in a commonly used and readable format;
- right to be forgotten – individuals will have the right to request that the holder deletes data from all IT systems, including from backups and remote servers; and
- privacy by design – this requires the design of any new IT or other systems to include data protection systems from the outset.
Any breach of the General Data Protection Regulation could lead to severe fines.
According to paragraph 5 of Article 83, infringements can lead to fines of up to 20 million euros ($23.6 million at the time of writing) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
It is, however, still being debated how the fines will be levied. According to CSO, maximum fines are rare, but there’s currently a great deal of variance from country to country. For example, in the U.K. the Information Commissioner’s Office can issue fines up to 500,000 GBP, but the highest fine to date was 400,000 GBP ($532,158) for telecoms company TalkTalk, after a major data breach that exposed the names, addresses, dates of birth, phone numbers and email addresses of more than 150,000 customers, and bank account details and sort codes for thousands.
It is clear that a failure to address data protection compliance obligations could prove very costly for organisations, especially as the guidelines take a broad view of “undertaking”, considering it to mean a parent company and all involved subsidiaries.
Explore our GDPR-related contractual roles here.
DFGR is a specialist Recruitment & Executive Search firm that solely focuses in the Digital Forensics & Cyber Security, IT Risk, Intelligence Insights & Analytics and Corporate Investigations space.