The GDPR is a data protection law applied in the European Union, outlining mandatory measures to obtain consent to data collection from EU citizens browsing on your web page. This new law was enforced as of May 25, 2018.

What visitors see on a GDPR compliant website:

  1. Request consent from users to access and collect data
  2. Track visitors’ browsing activity with cookies
  3. Visitors can select an option to disable cookie. So they have the right to be forgotten.

Compliance to data privacy laws is mandatory. In accordance to Article 83 in the regulations, fines can be levied up to 20 million Euros or 4% of the fiscal revenue in less severe data breach cases, whichever amount is higher.

Criteria for GDPR compliance

To be GDPR compliant, a company should have a full disclosure on in privacy policy in plain English. (In addition, to the cookies consent and permissions form):

  • What information they collect
  • How they safeguard personal data
  • What they do with personal data after they collect
  • The legal basis of processing their personal data
  • When and how they share personal data with others
  • How long they keep the users’ personal data
  • Enable users to set their preferences on data collection

This will allow all EU citizens to understand how their data is collected and handled. And to what extent they are granting your company access to their private data.

GDPR Data Breach Cases

The DSK Bank (Bulgarian unit of the OTP Group) was fined 1 million Lev in August 28, 2019 for a data breach involving over 33,000 client accounts which have taken bank loans. Information regarding personal identities of both borrowers and loan guarantors such as: full names, addresses, ID cards, property deed data were inappropriately leaked to third parties from the bank. The DSK Bank conducted an internal checks showing that bank system was not hacked, and data breach occurred through other illegal means.

Unicredit Romania received a fine of EUR 130,000 in July 4, 2019, until the bank was sanctioned until remediation measures was enacted. This penalty was imposed to Unicredit Bank S.A. as a result of negligence in implementing personal data protection principles, as well, as safeguarding data processing procedures, to meet the GDPR Requirements and protect the rights of the data subjects.

OTP Group of Hungary received HUF 55 million fine in July 21, 2016 due to deficiencies in IT securities, credit evaluation and data provision errors. OTP Bank agreed to cooperate with the National Bank Of Hungary (MNB)’s comprehensive review and oversight authorities to carryout remediation measures prior to the deadline assigned by MNB.

*** There is no exemption in GDPR compliance whether you have fewer than 250 employees or more than 250 employees. The GDPR is mandatory for companies that are involved in transacting, and handling data with European clients. All organizations must understand the bigger picture of their IT infrastructure and secure all applications in their estates. If you have 250 or more employees, it’s important to hire a DPO (Data Protection Officer) to take care of PII protection, without conflict of interest. ***