The first thing to remember when considering the new reforms is that there are significant fines for breaches of the regulations.
These fines are presented in two tiers:
Tier One - Up to €10 million or up to 2% of annual worldwide turnover, whichever is higher.
This level of fine will be imposed for infringements of the regulations where, for example; no written contract is in place between the controller and the processor of data. It is now the responsibility of organizations that possess and control a subject’s personal or sensitive data to have a clear and concise written contract in place if passing to a third party (a Data Processor).
No contract? There’s a fine coming your way.
Tier Two – Up to €20 million or up to 4% of annual worldwide turnover, whichever is higher.
This level will apply where, for example; a company doesn’t obtain explicit consent from a data subject for the processing of sensitive personal data.