I’ve posted some GDPR stuff on Jyutsu.com
My high-level map of GDPR fines (pdf)
Although my PhD research is not on GDPR fines, the outcome from my research should help organisations to be better prepared to respond to data breach incidents.
Not notifying affected data subjects when ordered by the data authority (ICO) fall under the high 1st level of fines i.e. 4% or EUR20M. However, failure to notify the data breach to the data authority (ICO) and to data subjects exposed organisations to the 2nd level of fines i.e. 2% or EUR10M. In essence be prepared to be fined when you failed to comply with the breach notification requirements, Art 33 and Art 34.
Note that when organisations have a security breach i.e. failure to comply with the data processing principles Art 5 (1)(f) (failure to use appropriate technical or organisational measures), this falls under the high 1st level of fines
So..there’s no way to avoid the fines unless you can totally avoid security breaches or avoid falling foul to the data processing principles.
EU’s newsroom site where various info on & from the Article 20 Working Party.
Currently, the guidelines:
Guidelines on the right to “data portability”, wp242rev.01 pdf
Guidelines on Data Protection Officers (‘DPOs’), wp243rev.01 pdf
Guidelines on The Lead Supervisory Authority, wp244rev.01 pdf
Guidelines on Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA), wp248_enpdf
More to add…
Warning – the infographics – not to be treated as ‘legal’ text.
ICO on GDPR – breach notification.
Next to watch – the Article 29 Working Party guidelines
Posting the link to twitter:
My tweet on my MPhil/PhD seminar slides
If you want to bypass twitter, welcome to use this direct access:
Cher’s talks, slides & videos
Thanks!
It’s a pity Theresa May did not trigger Article 50 on 1st April – to fool us all!
The rules of negotiation at EU or international levels will no doubt be shaken and stirred – all for the world to watch, observe and follow. Forget about the leaders – they are mere puppets with strings attached and only for their own shows. The winners and losers will be noted down in the history books but more likely be digitally spread virally – fake or real- who knows or who cares?!
No fake news though in terms of the GDPR in Brexit UK, so only exit and no U-turn allowed for data protection and privacy. It seems that data or more accurately data privacy unite (also dis-unite?) all humanity, whether we like it or not.
February 1, 2017 – 10:48 pm
It is never a dull moment when it comes to Privacy, especially now Trump is in the White House (when he is not in Trump Tower).
Europe’s Privacy Shield shaken by US prez
Will there be a real test of the EU-US Privacy Shield?