The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds – and the EU GDPR rules apply to both data controllers and processors.
Non-compliance results in fines of up to 4% of global revenue.
This can include violations of basic principles related to data security — especially PbD principles. A company can be fined up to 2% of global revenue for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach (articles 31, 32), or not conducting impact assessments (article 33).
And keep in mind – the GDRP breach notification requires more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insiders were doing.
More serious infringements merit up to a 4% fine. This includes violations of basic principles related to data security (article 5) and conditions for consumer consent (article 7) — these are essentially violations of the core Privacy by Design concepts of the law.
One way the GDPR is hoping to keep everything in line? By requiring companies to have a Data Protection Officer (DPO). The DPO is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches within 72 hours, and even creating a good data security policy.