主成分分析是实证分析么_2020年2月至今的gdprs罚款的实证分析及其对组织的意义...-CSDN博客

主成分分析是实证分析么

Until 8 July 2019, the average GDPR fine was US$5,600, but on that day, everything changed. The UK’s enforcer of GDPR (the ICO) announced on July 8 that British Airways would be fined a record £183M (US$226M) for a data breach involving 500,000 individuals (2.5% of their total global revenue). The next day, the ICO announces another fine — this time, £99M (US$120 million) against Marriott Hotels (~3% of their total global revenue).

直到2019年7月8日，GDPR的平均罚款为5,600美元，但那一天，一切都变了。英国GDPR(ICO)的执行者于7月8日宣布，英国航空公司将因涉及50万个人(占全球总收入的2.5％)的数据泄露而被处以创纪录的1.83亿英镑(2.26亿美元)的罚款。第二天，ICO宣布再次对万豪酒店处以9900万英镑(1.2亿美元)的罚款(约占其全球总收入的3％)。

GDPR’s potentially material fines are forcing not just British Airways or Marriott to put a greater emphasis on security & privacy, but on nearly every organization that handles PII (either directly themselves or on behalf of a client). No one wants to lose up to 4% of their global revenue.

GDPR的潜在实质性罚款不仅迫使英国航空公司或万豪酒店更加强调安全性和隐私性，而且还迫使几乎每个处理PII的组织(直接或亲自或代表客户)。没有人愿意损失高达4％的全球收入。

While there have been articles published about the major fines, there hasn’t been an analysis of all known fines and the associated consequences for organizations. Having a clear, predictable understanding of how much EEA authorities will fine for violating GDPR enables organizations to make better investments. For example, an organization could put themselves at risk if they’ve prepare for a 1% of total revenue fine but are, in reality, at risk of a 3.5% fine. Having accurate information would enable that company to appropriately invest their limited resources towards a more mature ISMS (information security management system).

尽管已经发布了有关主要罚款的文章，但尚未对所有已知罚款及其对组织的相关后果进行分析。对EEA当局因违反GDPR会受到多少罚款的清楚，可预测的理解，使组织可以进行更好的投资。例如，如果一个组织准备为总收入罚款的1％，但实际上却面临3.5％的罚款，则可能使自己处于风险之中。拥有准确的信息将使该公司能够将有限的资源适当地投入到更成熟的ISMS(信息安全管理系统)中。

To assist organizations in better understanding the risks of the GDPR’s fines, we analyze all publicly available fines (as of 29 Jan 2020) and publish our findings in this paper. Our analysis considers quantitative and qualitative data, such as the amount of fines, reasons why the fines were issued, etc. We conclude by offering actionable advice that organizations can consider as they determine how to better comply with GDPR.*

为了帮助组织更好地理解GDPR罚款的风险，我们分析了所有公开可用的罚款(截至2020年1月29日)，并在本文中发表了我们的发现。我们的分析考虑了定量和定性数据，例如罚款额，罚款原因，等等。我们最后提供了可行的建议，组织可以在确定如何更好地遵守GDPR时考虑这些建议。*

目录 (Table of Contents)

Executive Summary
执行摘要
Methodology
方法
How Data Protection Authorities (DPAs) Determine Fine Amounts
数据保护机构(DPA)如何确定罚款额
Detailed Data Analysis
详细数据分析
Limitations & Next Research Steps
局限性和下一步研究
Conclusion
结论
Sources & Legal disclaimer
消息来源和法律免责声明

执行摘要 (Executive Summary)

GDPR has made a significant impact on organizations, their vendors and fourth-parties. Having a clear, predictable understanding of how much and the reasons why EEA authorities are issuing fines for violating GDPR enables organizations to make better decisions on how to invest their limited resources.

GDPR对组织，其供应商和第四方产生了重大影响。对EEA当局对违反GDPR的罚款金额和原因进行清楚，可预测的理解，使组织可以就如何投资其有限资源做出更好的决策。

Image for post — Photo by Maryna Yazbeck on Unsplash

我们的分析发现了七个主要发现： (Our analysis uncovered seven main findings:)

Fines have increased over time, with the average fine now in the millions of euros
罚款随着时间的推移而增加，目前平均罚款为数百万欧元
Fine amounts can vary greatly by country, with the UK, France, Italy, Austria and Germany issuing the largest fines (on average)
罚款金额因国家/地区而异，英国，法国，意大利，奥地利和德国的罚款金额最大(平均)
Including the UK, 68% of orgs violating GDPR can expect to be fined €6–245 million (with a mean of €105M) per violation
包括英国在内，每宗违反GDPR的组织中有68％有望被处以62.45亿欧元的罚款(平均为1.05亿欧元)
Excluding the UK, 68% of orgs violating GDPR can expect to be fined €0–140 million (with a mean of €20M) per violation
除英国外，每宗违反GDPR的组织中有68％预计会被罚款0-1.4亿欧元(平均为2000万欧元)
Most organizations violating GDPR are found to be doing one, if not both, of the following:
发现大多数违反GDPR的组织都在以下一项或多项工作中：

i. Inadequate protecting PII from unauthorized disclosure, loss or alteration (i.e., data breach)

一世。 保护PII不足以防止未经授权的披露，丢失或更改(即数据泄露)

ii. Inappropriately obtaining consent from individuals (which requires the terms & conditions be communicated clearly and in plain language)

ii。 不当地征得个人的同意(这要求条款和条件以清晰的语言清楚地传达)

6. Fine amounts seemed to not be directly correlated to how often an organization was found to violate GDPR, though further research could provide additional insights onto this

6 。 罚款金额似乎与发现组织违反GDPR的频率没有直接关系，尽管进一步的研究可以对此提供更多见解

7. Even “small” data breaches can have large consequences. British Airways’ first fine of £183M (US$226M) was for a data breach involving 500,000 individuals.

7.即使是“小规模”的数据泄露也可能造成严重的后果。 英国航空的第一笔罚款1.83亿英镑(2.26亿美元)是因为涉及50万个人的数据泄露。

组织可以做什么来减轻罚款风险 (What Organizations Can Do to Mitigate the Risk of Fines)

Understanding that an average fine in Feb 2020 is (excluding the UK) €20M, organizations can use this data to conduct a more data-based risk assessment and better determine how much to invest in mitigating risk.

了解到2020年2月的平均罚款(不包括英国)为2,000万欧元，组织可以使用此数据进行更基于数据的风险评估，并更好地确定为减轻风险而投资的金额。

For example, let’s say your organization determines that the risk of a GDPR fine is 50% (or €10M)/year. Further analysis determines that by investing an additional €5M/year into x, y and z in your ISMS (information security management system), your fine risk is lowered to 7% (or €1.4M)/year. Your organization could then make a more data-based decision that the €5M/year investment into additional data protection features is worthwhile.

例如，假设您的组织确定GDPR罚款的风险为每年50％(或1000万欧元)。进一步的分析确定，通过每年在ISMS(信息安全管理系统)中向x，y和z追加投资500万欧元，您的精细风险可以降低到7％(或140万欧元)/年。然后，您的组织可以做出一个基于数据的决定，即每年500万欧元用于其他数据保护功能的投资是值得的。

Additionally, keep in mind that this analysis only considers the fine amount. The analysis does not include additional costs, including lost (future) sales, reputation, incident response costs (IBM estimates the avg. cost here is nearly US$4 million/incident), disruption to business, etc. These costs should be included in your analysis.

此外，请记住，此分析仅考虑罚款金额。该分析不包括额外的成本，包括销售损失(未来)，声誉，事件响应成本( IBM估计这里的平均成本接近400万美元 /事件)，业务中断等。这些成本应包括在您的分析。

With these factors in mind, we recommend that organizations do the following to mitigate their risk of being subject to a fine under GDPR:

考虑到这些因素，我们建议组织采取以下措施来降低其受到GDPR罚款的风险：

Conduct a data-based risk assessment and cost/benefit analysis
进行基于数据的风险评估和成本/收益分析

i. GDPR Recital 77 requires this risk assessment be based on industry best practices (e.g., NIST 800–30).

一世。 GDPR Recital 77 要求此风险评估应基于行业最佳实践(例如， NIST 800–30 )。

2. Address your risk assessment findings by making appropriate investments

2.通过进行适当的投资来解决您的风险评估结果

3. Remember that GDPR requires organizations to have:

3.请记住，GDPR要求组织具有：

i. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of PII

一世。 确保PII持续保密，完整性，可用性和弹性的能力

ii. A process in place to regularly test, assess and evaluate the effectiveness of their ISMS

ii。 定期测试，评估和评估ISMS有效性的程序

4. To more effectively address these recommendations, we highly recommend organizations be formally certified in ISO/IEC 27001:2013, SOC 2 Type II or an equivalent standard

4.为了更有效地解决这些建议，我们强烈建议组织通过ISO / IEC 27001：2013，SOC 2 Type II或等效标准的正式认证

英国呢？ (What About the UK?)

The UK will continue to be subject to GDPR through the remainder of 2020. While we don’t know what the UK’s data protection laws will be post-2020, the UK is generally privacy-conscious. This is shown by their having issued nearly 75% of all GDPR fines to-date and by this statement from their data protection authority (the ICO):

在2020年剩余时间内，英国将继续受到GDPR的约束。虽然我们不知道2020年后英国的数据保护法将是什么，但英国通常对隐私有所关注。迄今为止，他们已经发布了GDPR罚款总额的近75％，并且其数据保护机构(ICO)的声明也表明了这一点：

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.

个人数据具有真正的价值，因此组织有法律责任确保其安全，就像处理其他任何资产一样。如果那没有发生，我们将在必要时毫不犹豫地采取强有力的行动，以保护公众的权利。

Additionally, the EU has stated that they will require GDPR-like protections in all future trade deals (at the expense of limiting free trade, if necessary), it’s highly likely that the UK will:

此外，欧盟表示，他们将在所有未来贸易交易中要求类似GDPR的保护 (如果必要，以限制自由贸易为代价)，英国极有可能：

Continue to have stringent data protection laws in place
继续制定严格的数据保护法律
Issue material fines against organizations that fail to uphold individuals’ privacy rights
对未能维护个人隐私权的组织处以重大罚款

Organizations should make additional investments in their security programs and communicate their privacy policies clearly. The authors of this paper have found Google’s privacy policy to be clearly explained and should be emulated by organizations.

组织应在其安全计划上进行更多投资，并清楚地传达其隐私政策。本文的作者发现Google的隐私权政策得到了清晰的解释，应由组织机构效仿。

结论 (Conclusion)

GDPR’s have increased in the past two years, and we predict the fine amounts will continue to increase over time. Organizations are encouraged to use (and build on) this study’s empirical analysis to more effectively determine how they can best comply with GDPR (e.g., preventing data breaches).

GDPR在过去两年中有所增加，我们预计罚款数额将随着时间的推移而继续增加。鼓励组织使用(并在此研究的基础上)进行实证分析，以更有效地确定他们如何最好地遵守GDPR(例如，防止数据泄露)。

方法 (Methodology)

We first began by converting all values to euros. Conversions in this report into other currencies used exchange rates available in Feb. 2020. We analyzed the data in Microsoft Excel using basic statistical methods, including utilizing a population standard deviation rather than a sample standard deviation. This is due to our analysis include all publicly disclosed GDPR fines rather than a sample. Under GDPR, all fines are required to be made public.

首先，我们将所有值转换为欧元。本报告中的其他货币汇率转换采用了2020年2月可用的汇率。我们使用基本的统计方法，包括使用总体标准差而不是样本标准差，在Microsoft Excel中分析了数据。这是由于我们的分析包括所有公开披露的GDPR罚款，而不是样本。根据GDPR，所有罚款都必须公开。

While the UK has officially left the EU, it is still subject to GDPR through 2020, and EU authorities have made clear that any future trade deals must include GDPR-like provisions. Therefore, it’s likely that the UK will continue to have GDPR-like protections going forward. Therefore, our analysis generally includes data from the UK.

英国已正式离开欧盟，但到2020年仍将受GDPR的约束，欧盟当局已明确表示，任何未来的贸易协议都必须包括类似GDPR的规定。因此，英国很可能会继续获得类似于GDPR的保护。因此，我们的分析通常包括来自英国的数据。

数据保护机构(DPA)如何确定罚款额 (How Data Protection Authorities (DPAs) Determine Fine Amounts)

In order to understand how future fines may impact an organization, knowing how fines are levied is important to know. Article 83 outlines how fines should be imposed under GDPR.

为了了解将来的罚款会对组织产生怎样的影响，了解罚款的收取方式非常重要。第83条概述了应如何根据GDPR处以罚款。

When a DPA determines an organization has violated GDPR, they make a recommendation to their respective national court for how much the organization should be fined. The court then assess the final situation and determines how large the fine should be.

当DPA确定某个组织违反了GDPR时，他们会向各自的国家法院建议应对该组织处以多少罚款。法院然后评估最终情况，并确定罚款数额。

When both DPAs and the courts assess the amount of a fine, they follow the principles of Article 83 to ensure that the fine is “effective, proportionate and dissuasive.” The major principles are to consider:

当DPA和法院都评估罚款金额时，他们会遵循第83条的原则，以确保罚款“有效，相称且具有劝阻性”。主要原则是要考虑：

The nature, magnitude and duration of the violation
违规的性质，严重程度和持续时间
If the violation was intentional or from negligence
如果违反是故意的或出于过失
Any actions the organization took to limit the damage to the affected individuals
组织为限制对受影响个人的损害而采取的任何措施
Any previous violations of GDPR the organization has committed
该组织以前犯过的任何违反GDPR的行为
How cooperative with the DPA the organization has been
该组织与DPA的合作程度如何
The types of PII affected
受影响的PII类型
How the DPA was alerted to the violation, such as if the organization self-reported or the DPA discovered the violation through a news report
如何向DPA警告违规，例如组织自我报告或DPA通过新闻报道发现违规

Lastly, fines are levied per violation. If an organization is found to have not appropriately obtained consent and has a data breach, both situations are handled as an individual violation and subject to fines.

最后， 每次违规都要罚款。如果发现某个组织未获得适当的同意并违反了数据，则将这两种情况都视为个人违规并处以罚款。

详细数据分析 (Detailed Data Analysis)

In this section, we provide graphics, charts, etc. that we created from our analysis and to create this paper. The spreadsheet we used in our analysis is available here. We obtained the raw data from The enforcementtracker database.

在本节中，我们提供从分析中创建并创建本文的图形，图表等。我们在分析中使用的电子表格可在此处获得。我们从Theforcementtracker数据库获得了原始数据。

Because the United Kingdom is subject to GDPR until the end of 2020 and it’s likely to continue to have strong data protection laws in place, we both generally include the UK in these analyses. Some analyses are done twice, once with and once without the UK.

由于英国将受GDPR约束直到2020年底，而且英国可能会继续制定强有力的数据保护法律，因此我们都通常将英国纳入这些分析中。有些分析进行了两次，一次是在英国，一次是在英国之外。

Readers may observe that not every country in the EEA is listed in our analysis. This is because not every country has (as of 29 Jan 2020) publicly announced a GDPR-related fine (under GDPR, fines are to be made publicly available).

读者可能会发现，我们的分析并未列出欧洲经济区中的每个国家。这是因为并非每个国家(截至2020年1月29日)都公开宣布了与GDPR相关的罚款(根据GDPR，罚款将公开发布)。

国家罚款数 (Number of Fines by Country)

The top five countries that have issued the most fines is the same with and without the UK included in the analysis. These countries are:

罚款金额最高的前五个国家在分析和未分析英国的情况相同。这些国家是：

Spain (42)
西班牙(42)
Romania (21)
罗马尼亚(21)
Germany (18)
德国(18)
Bulgaria (16)
保加利亚(16)
Hungary (14)
匈牙利(14)

各国家/地区的罚款总额，减去英国 (Total fines by country, less the UK)

Thus far, EEA authorities have issued €116M in fines (US$127M). Excluding the UK, the top five countries that have issued the most cumulative fines are:

到目前为止，欧洲经济区当局已开出了1.16亿欧元的罚款(1.27亿美元)。除英国外，累计罚款最高的前五个国家是：

France (€51.1M)
法国(€51.1M)
Germany (€24.9M)
德国(€24.9M)
Austria (€18.1M)
奥地利(1810万欧元)
Italy (€11.6M)
意大利(€11.6M)
Bulgaria (€3.2M)
保加利亚(320万欧元)

The UK has issued a total of €315M in fines, which is 2.7 times greater than the rest of the EEA’s fines combined.

英国共开出了3.15亿欧元的罚款，这是欧洲经济区其他罚款总和的2.7倍。

平均按国家(包括英国)处以罚款 (Avg. fine by country, including the UK)

The two previous analyses can be useful in determining how much each country may fine; however, looking at the avg. fine per violation is a much more useful metric for our purposes. The top five countries that have issued the most fines on average are:

前面的两个分析对于确定每个国家可能罚款多少有用。然而，看着平均。对我们而言，每次违规罚款是一个更有用的指标。平均罚款最高的前五个国家是：

The United Kingdom (€105.1M/fine)
英国(1.051亿欧元/罚款)
France (€10.2M/fine)
法国(1,020万欧元/罚款)
Italy (€3.9M/fine)
意大利(390万欧元/罚款)
Austria (€3.0M/fine)
奥地利(300万欧元/罚款)
Germany (€1.5M/fine)
德国(150万欧元/罚款)

The UK has issued just three fines under GDPR. The Marriott International fine alone (€110) is almost equal to the total amount of fines issued by the EEA combined (€116). Thus, the chart above shows the other countries’ fines are minimal on avg. compared to those issued by the UK.

英国仅根据GDPR颁布了三项罚款。仅万豪国际酒店的罚款(110欧元)就几乎等于欧洲经济区发布的罚款总额(116欧元)。因此，上表显示其他国家/地区的平均罚款金额最低。与英国发布的相比。

平均罚款包括性病。开发人员，包括英国 (Avg. fine including std. dev., including the UK)

Building on the last analysis, we analyze fines by std. deviation. This enables us to understand where we can anticipate most fines to fall. Note that the negative values will, in reality, be zero or minimal. Because this data includes all known fines and is, thus, not a sample, we utilize a population standard deviation rather than a sample standard deviation. For all countries in the EEA, our analysis produced the following results (with an avg. fine of €125M):

在最后分析的基础上，我们按标准分析罚款。偏差。这使我们能够了解可以预计的最高罚款额将下降到哪里。注意，负值实际上将为零或最小值。由于此数据包括所有已知罚款，因此不是样本，因此我们使用总体标准差而不是样本标准差。对于欧洲经济区的所有国家，我们的分析得出以下结果(平均罚款为1.25亿欧元)：

68% of fines: €6–245 million
68％的罚款： 62.45亿欧元
95% of fines: €0–364 million
95％的罚款：0到 3.64亿欧元
99.7% of fines: €0–483 million
罚款的99.7％： 0-483百万欧元

Based on these results, most organizations that violate GDPR can expect to receive a fine between €6.2–245 million; however, the amount varies greatly by country. Because the UK will be leaving the UK soon, we analyze a scenario where the UK’s fines are not considered; however, for 2020 organizations found to be violating GDPR and subject to an investigation by the UK’s ICO can expect to be fined between €22–189 million by the ICO.

根据这些结果，大多数违反GDPR的组织可能会收到6.2-2.45亿欧元的罚款；但是，金额因国家/地区而异。由于英国即将离开英国，因此我们分析了一种不考虑英国罚款的情况；但是，对于2020年发现违反GDPR并受英国ICO调查的组织，预计ICO将对其罚款22至1.89亿欧元。

平均罚款包括性病。 dev。，减去英国 (Avg. fine including std. dev., less the UK)

As discussed earlier, the UK accounts for nearly 75% of total fines issued. Because the UK is leaving the EU and their fines are substantial, additional analysis that excludes the UK is warranted.

如前所述，英国占罚款总额的近75％。由于英国即将离开欧盟，其罚款额很高，因此有必要进行进一步分析，排除英国。

Keep in mind that the average fine is €20M:

请记住，平均罚款为2000万欧元：

68% of fines: €0–140 million
罚款的68％： 0-1.40亿欧元
95% of fines: €0–259 million
罚款的95％： 0-259百万欧元
99.7% of fines: €0–378 million
罚款的99.7％： 0-378百万欧元

平均随着时间的推移罚款金额 (Avg. Fine Amount Over Time)

Based on a linear trend-line, the average avg. GDPR fine goes up over time. Even when withdrawing the three largest fines (in January 2019 and July 2019), the upwards trend is evident. This finding is in line with what’s been expected to happen.

基于线性趋势线，平均平均值。 GDPR罚款会随着时间增加。即使撤销三笔最高罚金(分别在2019年1月和2019年7月)，上涨趋势仍然显而易见。这一发现与预期的结果是一致的。

Analyzing the avg. fine per quarter, we see the following trend:

分析平均值。每季度罚款，我们看到以下趋势：

Q3 2018 — €200,000
2018年第三季度 -€200,000
Q4 2018 — €8,000
2018年第4季度 -€8,000
Q1 2019 — €16,700,000
2019年第一季度 —€16,700,000
Q2 2019 — €317,000
2019年第二季度 —€317,000
Q3 2019 — €45,700,000
2019年第三季度 -€45,700,000
Q4 2019 — €2,300,000
2019年第四季度 —€2,300,000

While there is variation in the amount quarter-to-quarter, the overall trend is that fines are consistently increasing.

虽然季度间的金额有所不同，但总体趋势是罚款不断增加。

违规的主要原因 (Primary Reasons for Violations)

The following five Articles of GDPR have been violated the most. A complete list is beneath the top-five list. It’s important to note, that a single fine can include violations of multiple articles.

GDPR的以下五个条款遭到了最多的违反。完整列表位于前五名列表的下方。重要的是要注意，一次罚款可能包括违反多篇文章。

Article 5 (48) — PII is to be processed lawfully, fairly and transparently and be protected from unauthorized processing, disclosure and destruction.
第5条第 48 款 — PII应合法，公正和透明地处理，并受到保护，防止未经授权的处理，披露和销毁。
Article 6 (30) — PII may only be processed if the individual has given his/her explicit consent for the specified purpose(s).
第6条第 30 款 — 仅在个人出于特定目的明确表示同意后，才可以处理PII。
Article 13 (13) — When collecting an individual’s PII, the data controller must provide several types of information, such as the DPO’s contact information, the recipient(s)/who will assist process their data and an enumeration of the individual’s privacy rights.
第13条第13款 - 收集个人的PII时，数据控制者必须提供多种类型的信息，例如DPO的联系信息，收件人/谁将协助处理其数据以及枚举个人的隐私权。
Article 32 (9) — Data controllers and processors must implement appropriate security measures commensurate to the types of PII processed that prevent unauthorized destruction, loss, alteration and/or disclosure of PII.
第32 (9)条- 数据控制者和处理者必须采取与所处理的PII类型相对应的适当安全措施，以防止未经授权破坏，丢失，更改和/或披露PII。
Article 12 (8) — Data controllers must clearly, transparently and in plain language communicate the reason(s) for the processing of PII and within one month respond to individuals’ requests to fulfill their privacy rights.
第12条第 8 款 - 数据控制者必须以透明，清晰，透明的语言传达处理PII的原因，并在一个月内回应个人履行其隐私权的要求。

Based on this analysis, we observe that organizations receiving fines under GDPR tend to not be doing two things:

根据此分析，我们观察到根据GDPR收取罚款的组织往往没有做两件事：

Adequately protecting PII from unauthorized disclosure, loss or alteration
充分保护PII免受未经授权的披露，丢失或更改
Appropriately obtaining consent from individuals, which includes communicating the terms & conditions clearly, plainly and in plain language
适当地征得个人的同意，包括清楚，明了地用简单的语言传达条款和条件

局限性和下一步研究 (Limitations & Next Research Steps)

While the author has conducted this analysis to the best of his abilities, there are inherent limitations of being a single researcher. For example, there may be factors, data, etc. that weren’t consider, calculated incorrectly, etc.

尽管作者已尽其最大能力进行了此分析，但作为一个单独的研究人员存在着固有的局限性。例如，可能有一些因素，数据等未被考虑，计算错误等。

To improve upon this research, the author invites others (both in academia and industry) to build on his work and/or collaborate with him. With additional investment & resources, this article can be enhanced by conducting interviews with DPAs, fined organizations, percentage of annual turnover fined, etc. and putting the article through the rigor needed to publish an an A-level academic journal.

为了改进这项研究，作者邀请其他人(学术界和工业界)继续他的工作和/或与他合作。借助额外的投资和资源，可以通过与DPA，被罚款的组织，被罚款的年营业额进行访谈等，并通过发表A级学术期刊所需的严格性，来加强这篇文章。

Another limitation of this study is that it doesn’t factor fines as a percentage of global revenue. One deterrent for doing this is that both private and publicly-traded organizations (e.g., business, non-profits, churches, etc.) are subject to GDPR, making determining the fine as percentage of revenue difficult in every situation. For this initial analysis, we have chosen to not consider this factor; however, doing so in future will provide additional insights and benefits to organizations. We encourage other researchers to build on our analysis and provide additional insights.

该研究的另一个局限性在于它没有将罚款占全球收入的百分比考虑在内。这样做的威慑力在于，私人和公开交易的组织(例如，企业，非营利组织，教堂等)都受到GDPR的约束，这使得在每种情况下都很难确定罚款占收入百分比的比例。在此初始分析中，我们选择不考虑此因素。但是，将来这样做将为组织提供更多的见解和好处。我们鼓励其他研究人员以我们的分析为基础，并提供更多见解。

Such analysis would provide even more value & benefit to organizations and the individuals they serve.

这种分析将为组织及其服务的个人提供更多的价值和利益。

资料来源 (Sources)

Data for this analysis was taken from The enforcementtracker database. The enfocementtracker database is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
该分析的数据来自Theforcementtracker数据库 。 enfocementtracker数据库是根据Creative Commons Attribution-NonCommercial-ShareAlike 4.0国际许可证获得许可的。

enforcementtracker.com, provided by CMS Law.Tax
executiontracker.com，由CMS Law提供。Tax
GDPR — A Comprehensive Overview by Andrew Sanford
GDPR — 安德鲁·桑福德 ( Andrew Sanford)的综合概述
Full, original text of the GDPR
GDPR的完整原始文本

法律免责声明 (Legal Disclaimer)

*The advice offered in this paper is not legal advice. Organizations should consult with appropriate parties, including legal counsel and data privacy experts, before implementing GDPR-related programs, initiatives, etc. at their organization. GDPR is complicated, nuanced and principles-based. Great care must be taken when determining how your organization can comply with GDPR. While the advice contained herein can be helpful when considering risks to your organization, implementing GDPR solely based on the limited information in this paper is unwise and should not be done.

*本文提供的建议不是法律建议。 在组织实施与GDPR相关的计划，举措等之前，组织应咨询相关各方，包括法律顾问和数据隐私专家。 GDPR是复杂的，细微的和基于原则的。 在确定组织如何遵守GDPR时必须格外小心。 尽管此处包含的建议在考虑对组织的风险时可能会有所帮助，但是仅基于本文中的有限信息实施GDPR是不明智的，因此不应该这样做。