Group Fines Under the GDPR

“Up to 4 % of an undertaking’s global worldwide annual turnover for the preceding fiscal year”

This is arguably the single most powerful (and certainly the most frightening) statement from the GDPR. The heavy consequences of noncompliance with the recently enacted regulation was most likely the catalyst that propelled many organizations’ readiness review for GDPR. At a high level, one may assume that you can compute your risk exposure simply by multiplying (.04 x Gross Annual Revenue).

But it is not always that easy! This formula applies to organizations that are part of a single “undertaking” as defined by the regulation. For organizations that are not considered a single undertaking, the total exposure may be more difficult to calculate since the annual revenue totals may be part of a larger group of enterprises. This aspect of GDPR raises a number of critical questions, including the following:

• What is an “undertaking”?
• How do I know whether I am a single undertaking?
• If I am not a single undertaking, how do I compute my potential risk of noncompliance?
• Is a fine inevitable, or could I receive a lesser penalty?

Read the full article on www.threatstack.com

About the Author

Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. With nearly 8 years industry experience, he has a strong history of implementing, maintaining, and assessing global information security and privacy requirements, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As an industry advocate, he is passionate about researching and writing on the fundamentals and concepts of sustainable data privacy; and, providing education to clients on the risks, challenges, and best practices around data privacy legislation. He holds several privacy designations from the international association of privacy professionals, including CIPP/US, CIPP/E, and CIPM.

More Content by Kevin Kish