The General Data Protection Regulation (GDPR) is a regulation passed by the European Union (EU) in 2016 that came into effect on May 25, 2018. The GDPR is a comprehensive data protection law that applies to all companies processing the personal data of individuals within the EU, regardless of the company's location.
The GDPR seeks to give individuals greater control over their personal data and to harmonize data protection laws across the EU. Some of the key provisions of the GDPR include:
Expanded territorial scope: The GDPR applies to all companies processing the personal data of individuals within the EU, regardless of where the company is located.
Stricter consent requirements: Companies must obtain explicit and freely given consent from individuals before processing their personal data.
Increased rights for individuals: Individuals have the right to access, correct, and delete their personal data. They also have the right to object to their data being processed and to have their data transferred to another controller.
Data protection by design and by default: Companies must implement measures to ensure that data protection is integrated into their systems and processes by design and by default.
Mandatory data breach notification: Companies must report data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach.
Penalties for non-compliance: Companies that violate the GDPR can face significant fines of up to €20 million or 4% of their global annual revenue, whichever is higher.
What are the Penalties for Non-Compliance?
The General Data Protection Regulation (GDPR) imposes significant penalties on companies that violate its provisions. These penalties are intended to ensure that companies take data protection seriously and comply with the regulation's requirements.
The GDPR sets two levels of fines for non-compliance:
Up to 10 million euros or 2% of the company's global annual revenue, whichever is higher, for less severe violations. These may include failing to keep records or failing to notify the supervisory authority of a personal data breach.
Up to 20 million euros or 4% of the company's global annual revenue, whichever is higher, for more serious violations. These may include violating the basic principles of data processing, failing to obtain consent, or failing to respect data subjects' rights.
The specific amount of the fine depends on various factors, such as the nature, severity, and duration of the violation, and the number of individuals affected. The supervisory authority may also take into account factors such as the company's cooperation and previous compliance history.
It's important to note that fines are not the only penalty for non-compliance with the GDPR. The regulation also allows individuals to seek compensation for damages resulting from a violation. Additionally, the supervisory authority may impose corrective measures, such as requiring the company to implement specific data protection measures or to cease certain processing activities.
GDPR Training Requirements for US Companies
While the GDPR applies primarily to companies operating within the EU, it can also apply to non-EU companies that process EU residents' personal data.
If a US company processes personal data of EU residents, it must comply with the GDPR's requirements. This includes having a GDPR-compliant privacy policy, appointing a Data Protection Officer (DPO) if required, and ensuring that data subjects' rights are respected.
In terms of training requirements, the GDPR does not specifically mandate any training requirements for US companies. However, it is good practice for companies to train their employees on GDPR compliance, particularly those who handle personal data.
Training can help to reduce the risk of GDPR violations and ensure that employees are aware of their obligations under the regulation.
Training should cover topics such as:
The basic principles of GDPR compliance
The rights of data subjects
How to handle personal data in a GDPR-compliant manner
The company's data protection policies and procedures
The consequences of GDPR violations
US companies can choose to provide GDPR training to their employees in-house or can hire external consultants to provide the training. They should also ensure that training is regularly updated to reflect any changes to the regulation.
About LMS Portals
At LMS Portals, we provide our clients and partners with a SaaS-based, multi-tenant learning management system that allows you to launch a dedicated training environment (a portal) for each of your unique audiences.
We provide a ready-made, on-demand GDPR Awareness course and partner with industry experts to provide high-quality, customized GDPR awareness training, delivered on a branded portal with managed services and detailed reporting. We also provide powerful integrations to deliver your program data to most any in-house centralized data management system you choose.
Contact us today to get started or visit our Partner Program pages
Comments