3. GDPR enforcement
Amount of GDPR fines per type of breach all time
Type Cases Fines € Av. Fine
Insufficient legal basis for data processing 162 164,300,342 1,014,200
Insufficient technical and organizational measures to ensure
information security
84 62,761,627 747,162
Non-compliance with general data processing principles 70 17,613,465 251,621
Insufficient fulfilment of data subjects rights 45 9,563,725 212,527
Insufficient fulfilment of information obligations 21 576,105 27,434
Insufficient fulfilment of data breach notification obligations 9 220,725 24,525
Insufficient cooperation with supervisory authority 20 147,779 7,389
Lack of appointment of data protection officer 4 136,000 34,000
Insufficient data processing agreement 2 14,380 7,190
Insufficient fulfilment of data breach obligations 1 286 286
4. Worldwide data breaches
Phishing
Use of stolen creds
Misdelivery
Misconfiguration
Password dumper
Trojan
Ransomware
RAM scrapper
2015 2016 2017 2018 2019 2020
5. GDPR enforcement
Amount of fines per year
2019 2020
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
Germany Italy France UK Austria Sweden Spain Others
6. GDPR enforcement
Amount of fines per country
Spain 139
Romania 41
Hungary 32
Italy 32
Germany 25
Bulgaria 20
Belgium 16
Poland 12
Cyprus 11
Greece 11
Norway 11
Others 68
7. Boards of directors
Members should act as diligent
owners of GDPR requirements to
avoid negligence liabilities and
shareholder claims
9. Boards of directors
Set the tone for privacy
Lead by the example in data security
Monitor the adoption of GDPR
program and data security policy
Allocate resources incl. DPO designation
12. Ask for a transparent gap
analysis for GDPR
compliance (benchmarked a/ ISO 27701)
engaging dialog between
Legal, IT, Information Security,
Compliance and Risk
13. Challenge the responsibility
and accountability roles for
updated policies, procedures
and contracts regarding
privacy compliance and data
security
15. How to assess the strength
of the GDPR program
• Data-driven risk assessments for
compliance requirements, data
security and external data
processors
• Audited KPIs with targets
• Non-compliance in certifications
and client audits
16. Test your privacy leadership team
A doer approach
Not a journalist approach for paper compliance
Skills in risk, legal and data security
Not a legal-only background
Simplify privacy controls
Not a legalese writer
Target to sell compliance
Not a necessary evil
25. Board or delegated committee
Frequency
Informative or for decisions
Assurance with 3 lines
Escalations and centralization
26. Reports to the board
KPIs
• ROPA Data inventory > Updates, DPIAs
• Subject access requests > Time, nr
• Consents > nr
• Training > By seniority/functions, tests
• Risk remediation plans > Delays, tests
• Audits to data processors > Findings
• Audits from clients > Delays
27. Reports to the board
Analysis
• Completed activities in privacy program
• Data driven risk assessments
• Data security and compliance incidents and
near-misses
• Audit issues benchmarked against
international standards
29. Common improvements
Create, update, train and dry run
a strong breach recovery plan
Encrypt data and devices
Monitor, log and stop data
transfers and downloads