GDPR Compliance and fines

Understand GDPR Compliance and fines before you regret

In this day and age, an individual’s privacy is suffering because most of their information is already out there on the internet for the hackers to prey on. So, in order to protect the personal information of its population, the European Union devised a set of General Data Protection Regulations (GDPR)

In effect from May 25, 2018, all companies and organizations that control or process personal data of the EU populace have to mandatorily comply with GDPR. If the companies fail to adhere to these guidelines, the EU holds all rights to levy heavy fines on them.

Are US-Based Companies Affected by GDPR?

Yes, GDPR compliance requirements and fines have a strong presence in the USA as much as any other geographic region in the world. All companies, whether or not they have EU-based employees and clients, are in the scope of GDPR. 

However, GDPR does not state that a company is prohibited from doing business with the EU data subjects entirely. The regulations suggest assorted rights for using personal data, if the organizations can provide lawful and reasonable grounds for each piece of information they require. 

In case of failure to comply with the GDPR, US-based companies run a risk of lawsuits and/or substantial financial penalties. These fines can be as much as 20 million Euros, or 4 percent of the annual turnover of the company, whichever is higher. 

Companies Facing Action Under GDPR

Towards the end of 2018, social media giant Facebook faced severe investigation for data breaches that were unacceptable after GDPR came into effect. Another major US tech firm under the scrutiny of the Irish Data Protection Commission is Twitter. It was discovered that the creators failed to take appropriate measures to protect the personal information of their data subjects. 

A 50,000,000 Euro fine was levied on the world’s leading search engine, Google, by French Supervisory Authority (CNIL). This record penalty was a result of the lack of transparency in the mechanism the search engine followed to personalize advertisements for its users. The first non-compliancy complaint against Google was filed on 25 May 2018, immediately after GDPR came into effect. 

Other US entities such as Apple, Amazon, Netflix, and Spotify are under investigation for having violated GDPR. The reason being, these companies hold a lot of personal data about their users yet deny them access to a copy of this data. 

The above cases and those still pending  highlight that no matter how carefully you devise the Privacy Policy of your company, you cannot escape GDPR. It is one set of regulations that demands complete transparency on part of the organization, or else the customer rights groups can report you to the data protection authorities. 

GDPR Compliance Initiative

Now that it is evident no organization can engage in business with the EU and its data subjects without compliance with GDPR, you should take important steps towards GDPR compliance. If you are unsure how to go about creating one, here are some steps to begin with:

  1. Create a clear picture of the GDPR violation risks that are possible in the course of business and what penalties they might bring along.
  2. Deploy a reliable cybersecurity audit and GDPR compliance service that will help to comply with GDPR easier. 
  3. Monitor all areas where you are using personal data, and have a strong reason to back up all aspects of information. Also, all grounds should be lawful to prove your good faith in case of an audit.

In order to ensure that the above aspects work in tandem, implementing organization-wide data security services are an important task. This is where databrackets comes to the picture. The company comprises of a team of legal and cybersecurity professionals, specializing in international data security and privacy matters. They can act as your virtual Data Protection Officers (DPOs) and bridge the gap between your organization and supervisory authority. 

The presence of a compliance initiative alone can save you a lot of trouble, along with substantial fines, even if there are some imperfections. It is always advised to make informed decisions regarding data protection policies as an organization, to survive in the longer run. 

If an organization comes across a breach in their data security, they  need to report it to the Supervisory Authorities within 72 hours. In case the oganization fails to report such incidents, it can have a serious impact on the freedom and rights of the data subject, resulting in his/her financial loss, loss of confidentiality, or social discrimination. 

Apart from the authorities, individuals must also be notified if their information leaked was not properly encrypted, can be materialized, or does not involve a disproportionate effort. If the data breach impacts a large demographic, a media notice should also be rolled out.


The US and EU engaged in 1.3 trillion dollars of trade in 2018 alone, which represents  sizeable financial sacrifice an organization based in the US would be making by not conducting business  under GDPR regulations. Then again, despite legal actions against several companies in the US by authorities in the EU, more than half of them have still not yet started hiring DPOs for creating a compliance plan. While some organizations remain protected under the EU-US Privacy Shield, others are at a high risk to face court hearings and penalties. Therefore, one should not delay the adoption of a smart and GDPR-compliant data protection policy as early as possible. 

 To that end, databrackets offers a wide range of services tailor made to help you comply with GDPR. The company’s deliverables include GDPR regulations assessment, readiness report, customized policies and procedures, and more.  If you are looking to streamline your GDPR efforts, your search ends at databrackets.


  • Calling all MSPs!! Partner with us!

  • Gain trust and confidence of your customers!
    Get SOC Certified Today!

  • Protect your data from Hackers