How fine are you when it comes to your progress towards your accountability obligations with respect to GDPR? Based on the answer to that you can answer how fine are you about the knowledge of what my be coming your way for a breach of the GDPR when it is enforced in under a years time on 25th May 2018?
Whilst i am not a fan of using the stick method to goad companies in action (I prefer the USP differentiation method of preparedness / readiness to enhance your commercial status to the market and competitors) it is a useful thing to bring to the attention of the CFO and other purse sting holders about what they may have to insure against / provision for in their budgets should the nasty happen ..
Handily, or not if you fall foul of them, there is a defined guidance on the potential wallet hammering you may receive if you are unlucky enough to be found to be in breach of one or more articles of the GDPR. The fines are tiered and based on global turnover or a fixed amount, whichever is the higher.
Fine Band A – “Lower” tier fine – 2% global turnover or 10 million Euro
- Article 8 – Conditions applicable to child’s consent in relation to information society services
- Article 11 – Processing which does not require identification
- Article 25 – Data protection by design and by default
- Article 26 – Joint controllers
- Article 27 – Representatives of controllers not established in the Union
- Article 28: Processor
- Article 29: Processing under the authority of the controller or processor
- Article 30: Records of processing activities
- Article 31: Cooperation with the supervisory authority
- Article 32: Security of processing
- Article 33: Notification of a personal data breach to the supervisory authority
- Article 34: Communication of a personal data breach to the data subject
- Article 35: Data protection impact assessment
- Article 36: Prior Consultation
- Article 37: Designation of the data protection officer
- Article 38: Position of the data protection officer
- Article 39: Tasks of the data protection officer.
- Article 42: Certification
- Article 43: Certification Bodies
Fine Band B- “Higher” tier fine – 4% global turnover or 20 million Euro
- Article 5: Principles relating to personal data processing
- Article 6: Lawfulness of processing
- Article 7: Conditions for consent
- Article 9: Processing of special categories of personal data
- Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
- Article 13: Information to be provided where personal data are collected from the data subject
- Article 14: Information to be provided where personal data have not been obtained from the data subject
- Article 15: Right of access by the data subject
- Article 16: Right to rectification
- Article 17: Right to erasure (‘right to be forgotten’)
- Article 18: Right to restriction of processing
- Article 18: Right to data portability
- Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20: Right to data portability
- Article 21: Right to object
- Article 22: Automated individual decision-making, including profiling
Quiet a list isn’t it ! Make sure that you have started you GDPR journey.