The GDPR has introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed. Not having their records in order or failing to report any breaches to the authorities can be fined a maximum of 2% of their annual global turnover. The maximum fine a company can face is 4% of their annual global turnover, of €20 million, whichever is the highest.
What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations to maintain internal records, which