What is the difference between a controller and a processor?
The data controller determines the purpose for which data is being collected, stored and used and the manner and means by which it is being processed.
‘Controller’ can refer to a natural person, a legal person, authority, agency or other body.
The data processor is the person or persons acting on behalf of the controller, whether internal to a company or accessing and using data as an outsourced service.
With GDPR the data processor has more responsibility than under the previous directive in terms of security, risks and overall handling of data.
Organisations can be both the controller or processor but usually the processor is a separate entity.
Can I zoom in on the text to get a detailed view of each row?
Yes - go to ZOOM and select your preferred magnification.
Alternatively, use the zoom bar bottom right of your screen
The default view of the GDPR checklist is 60% to provide an easy view of the entire excel sheet, although this can easily be altered using the methods above.
How will the complete checklist save me time and money?
Beginning the GDPR process can feel overwhelming and it would be easy to waste time and valuable resources working out exactly what you need to do and how you are to go about doing it.
Depending on your company’s current situation and existing arrangements, without the GDPR Checklist you could potentially be starting the whole process from scratch with little in the way of knowledge on how to approach it and no personnel qualified to undertake the task.
With our product you can basically get started on the project immediately and avoid wasting valuable resources or having the expense of outsourcing the work to expensive compliance professionals.
How will the complete GDPR checklist help my organisation get up to speed with GDPR compliance?
The product has been built to offer the following benefits:
1. It enables you to discover and classify all personal data, the first real step in the GDPR process.
2. It acts as an aid to help you identify protection control gaps.
3. It helps you understand how to protect all personal data through development and implementation of appropriate security controls.
4. It lays the groundwork for you to look at how you can enhance security controls through monitoring, detecting, responding, and reporting on all policy violations and external threats.
In addition, if offers you the opportunity to gain so-called ‘quick wins’ that help you provide evidence and demonstrate you are taking GDPR compliance seriously, by helping you quickly address the key areas:
1. Governance and accountability
2. Roles and responsibilities
3. Update privacy notices
4. Data breach response plan
5. Cyber security
6. Data subject access request (DSAR) procedures
7. Staff awareness training (e-learning)
8. Data deletion
What fines are there for non GDPR compliance?
There are two tiers of administrative fines that can be levied and are they already being issued in practice.
Up to €10 million, or 2% annual global turnover – whichever is higher
Up to €20 million, or 4% annual global turnover – whichever is higher
Recent GDPR Fines:
Authority: Information Commissioner (ICO)
Fine (€): 204,600,000
Controller/Processor: British Airways
Quoted Art: Art. 32 GDPR
Type: Insufficient technical and organisational measures to ensure information security
Summary: The ICO issued a notice of its intention to fine British Airways £183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
Authority: Spanish Data Protection Authority (aepd)
Date: 2019-08-16Fine (€): 60,000
Controller/Processor: AVON COSMETICS
Quoted Art: Art. 6 GDPR
Type: Insufficient legal basis for data processing
Summary: A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data.
Authority: Data Protection Authority of BerlinDate:2019-08-##
Fine (€): 195,407
Controller/Processor: Delivery Hero
Quoted Art: Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR
Type: Insufficient fulfilment of data subjects rights
Summary: Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.