The GDPR is prescriptive about what organisations have to do to comply. They have to appoint a “data-protection officer” (DPO), an ombudsman who reports directly to top management and cannot be penalised for doing his job. They also have to draw up detailed “data-protection impact assessments”, describing how personal data are processed. And they have to put well-defined processes in place to govern the protection of personal data and to notify authorities within 72 hours if there is a breach. Companies that persistently ignore these rules face stiff fines of up to €20m ($25m) or 4% of global annual sales, whichever is greater.
Europe’s tough new data-protection law
Europe’s tough new data-protection law
Europe’s tough new data-protection law
The GDPR is prescriptive about what organisations have to do to comply. They have to appoint a “data-protection officer” (DPO), an ombudsman who reports directly to top management and cannot be penalised for doing his job. They also have to draw up detailed “data-protection impact assessments”, describing how personal data are processed. And they have to put well-defined processes in place to govern the protection of personal data and to notify authorities within 72 hours if there is a breach. Companies that persistently ignore these rules face stiff fines of up to €20m ($25m) or 4% of global annual sales, whichever is greater.