No Big Fines…For Now
The GDPR gives regulators the power to hit firms with a maximum fine of 4% of global annual turnover, or €20 million, whichever is higher. But contrary to many headline-grabbing predictions and FUD-led marketing, it’s unlikely that they will look to exercise these powers early on. In fact, UK supervisory authority the Information Commissioner’s Office has said publicly: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm … We have always preferred the carrot to the stick.”
That said, these fines are far from symbolic and as time goes on, and regulators’ patience wears thinner, the chances of major financial penalties will increase. The €20 million question is when exactly this will be.
What is most likely is that the first big fines will come not from a major breach, but possibly a case brought by an individual whose new rights to data portability, erasure, access etc were not upheld by an organisation. The reputational impact of such a case could result in far more damage to brand and customer trust than the headline fine.
For those organisations still willing to risk non-compliance, it should be remembered that the regulators will also have the power to suspend data transfers to third countries — like the US and potentially post-Brexit Britain — and even shut down data processing altogether. That would put any modern organisation out of business pretty quickly.