What is GDPR?
Born out of sophisticated cyber threats, technology advances, and concerns about data misuse, the European Union’s General Data Protection Regulation (GDPR) is not just one of many other data protection frameworks or requirements. This law is the top regulatory focus of 2018, even among US companies, and is considered to be one of the most significant information security and privacy laws of our time. The law gives data subjects rights over their personal data and establishes obligations for any organization around the world that is processing the data of an EU data subject, making the applicability of the law follow data rather than following a data subject or physical location.
GDPR requires all data controllers and data processors that handle personal data of data subjects to apply appropriate security and organizational measures in order to safeguard the confidentiality, integrity, and availability of processing services. GDPR was enacted in 2016 and became enforceable on May 25, 2018.
What are the Penalties of Non-Compliance?
Organizations who have grown used to being slapped with minor fines for data breaches or data misuse may be shocked to hear that GDPR sets forth two tiers of fines, with the lower level charging up to €10 million or 2% of a company’s annual global revenue, whichever is greater. The lower level tier is imposed for breaches of controller or processor obligations, and the upper level is imposed for breaches of data subjects’ rights and freedoms. The upper level tier fines up to €20 million for violations or 4% of a company’s annual global revenue, whichever is greater.
Let’s take a look at a few examples of how non-compliance could impact an organization.
- In 2017, Hilton Hotels & Resorts was fined $700,000 for a data breach that impacted over 350,000 cardholders. That’s a fine of just $2 per person affected by the breach. Considering that Hilton’s annual global turnover for the previous year was $10.5 billion, the company could have been fined a maximum of $420 million for the breach under the GPDR’s harshest fine. That’s a fine of $1,200 per person affected.
- Between 2013 and 2014, 3 billion Yahoo user accounts were breached. Yahoo did not disclose the severity of the breach until 2017, thus failing to meet the 72-hour notification requirement established by GDPR. Because Yahoo’s revenue exceeded $4 billion in 2012, the company could have been fined between $80 million – $160 million if GDPR was in effect at the time of the breach.
Not only are the requirements and scope for GDPR extremely broad, but the fines and penalties that organizations could face due to non-compliance are unlike any fines and penalties imposed by a regulatory body before. This is why understanding this revolutionary data privacy law is so important.
More GDPR Resources
Welcome to the KirkpatrickPrice video series on the General Data Protection Regulation. At KirkpatrickPrice, our vision statement is to educate, empower, and inspire. In this video series, we will educate you regarding the General Data Protection Regulation, empower you to take the actions that your organization needs to become compliant, and inspire you to maintain compliance throughout the duration of your processing activities. The General Data Protection Regulation is a law that was enacted in 2016 and became enforceable on May 25, 2018. The law gives data subjects rights over their personal data and establishes obligations on any organization around the world that is processing the data of an EU data subject. The law sets forth fines of up to €20 million for violations or 4% of a company’s global revenue, whichever is greater. That’s the reason that knowing and following the law is so important. Join us in this series as we help you comply with GDPR.