GDPR Data Security

There are a range of data protection processes and requirements that all businesses must comply with under the General Data Protection Regulations.  From a purely “data security” standpoint, it is important that any organisation takes appropriate measures to secure the data they hold or store elsewhere – particularly data relating to employees, customers, clients and other third parties.

When your organisation signs up to our 360 Cyber Protection service and has been certified to the Cyber Essentials framework, you will already have gone a long way towards meeting GDPR Data security requirements.  Only two additional requirements need to be implemented in order to provide the best possible compliance to GDPR data security standards, these are:

  1. Applying encryption to all endpoint devices and to data stored locally and remotely.
  2. Continuous backing up data to a secure onsite and offsite location.

These services are available at additional cost and will be based upon the number of devices to be encrypted and the amount of data that is backed-up.  We will discuss this with you during the sign-up process.

Further information about GDPR Fines

There are two levels of fines based on the (GDPR).  The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.  The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.  The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.

Fines for infringements will be considered on a case-by-case basis and will take a number of criteria into consideration, such as the intentional nature of the infringement, how many subjects were affected and any previous infringements by the controller or processor.

The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.

This includes infringements relating to:

  • Integrating data protection ‘by design and by default’
  • Records of processing activities
  • Cooperation with the supervising authority
  • Security of processing data
  • Notification of a personal data breach to the supervisory authority
  • Communication of a personal data breach to the data subject
  • Data Protection Impact Assessment
  • Prior consultation
  • Designation, position or tasks of the Data Protection Officer
  • Certification

The higher level of fine, up to €20 million or 4% of the company’s global annual turnover, will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.

This includes infringements relating to:

  • The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
  • Rights of the data subject
  • Transfer of personal data to a recipient in a third country or an international organisation
  • When deciding whether to impose a fine or the amount to be paid as a fine, the following will be taken into consideration for each individual case:
  • The nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
  • The intentional or negligent character of the infringement
  • Any action taken by the controller or processor to mitigate the damage suffered by data subjects
  • The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
  • Any relevant previous infringements by the controller or processor
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
  • Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures
  • Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42
  • Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.