- [Narrator] Any organization with EU business transactions will be subject to the GDPR regulation. The countdown has begun and organizations need to be ready. This regulation was adopted by the EU Parliament on April 14 of 2016. The parliament then gave member states and any impacted organization two years to comply with the regulation. Since May 25, 2018, the provisions of the GDPR have been enacted.
What does compliance mean under GDPR? Compliance is really about having mechanisms in place to protect data. Note that there is no definitive definition for the word reasonable in this regulation. So organizations must be diligent about what is required. GDPR is designed to protect consumers and businesses. So the governing body may be stringent about this regulation to show the importance of its provisions. What happens if you're not ready? There are levels of fines that can be assessed on any organization that is found to be noncompliant.
On the lower limit, a company can be fined two percent of its annual revenue. Note that that is not net profit but all global revenues or ten million euros, whichever is higher. On the other end of that spectrum, companies can be fined up to four percent of their annual revenue or 20 million euros. Again whichever is higher. These fines will be detrimental to companies that are found to be noncompliant.
When the governing body is considering what level of fine to impose, they use certain criteria to determine what that fine will be. Some examples may be the mitigations that an organization had in place, the history of previous breaches, or that organization's cooperation with the governing body. All of these can be considered when determining where on that spectrum the fine will fall. Let's discuss an example. In 2017, TalkTalk was fined by the Information Commissioner's Office for failing to protect customer data.
Specifically called out were their security failings. The breach was proven to have been preventable with the proper security mechanisms in place. Under the regulations at the time, the Information Commissioner's Office fined TalkTalk 400 thousand pounds. Under GDPR, this fine could have been as much as 59 million pounds, which shows how impactful any fine, under GDPR, can be.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Define the objectives of GDPR relating to the personal privacy of citizens.
- Determine the responsibilities of data protection officers under GDPR.
- Identify the rights of citizens in the event of a data breach.
- Review the steps that must be taken in the event of a data breach.
- Describe the notification process in the event of a data breach.