In the third of our series aimed at debunking myths around the General Data Protection Regulation (GDPR) that comes into effect on 25 May, I’ll address the myth around GDPR sanctions.
Myth #3: All GDPR breaches will result in automatic maximum fines
In some corners of the internet, business is borne of misinformation and scare-mongering. GDPR seems to have presented the perfect opportunity, and one that’s lasted a good couple of years, so far.
Countless articles and conferences have sought to gain attention by claiming that GDPR breaches will result in fines in the millions; that regulators are itching to start a financially-punitive crusade and that companies will be used to set examples to others; their minor breaches inevitably leading to overnight bankruptcy.
GDPR certainly puts a wide range of tools and powers at the disposal of European regulators to facilitate investigations, disciplinary action and sanctions. However, these measures are not going to be the first step in regulatory interactions with companies. Regulators are - first and foremost - committed to guiding, advising and educating companies on their journey of compliance.
Only those particularly dismissive of the law, or that recklessly and regularly fail to comply, will be subject to straight fines, particularly when they create a serious privacy risk to individuals. For the vast majority of breaches, regulators will typically issue warnings, reprimands or orders, at first instance.
It’s therefore extremely unlikely that you’ll wake up on 26 May with a whopping bill from the supervisory authority in the post.
On the flip side, fear of fines is making businesses pay attention to data privacy, and that’s a good thing.
Blog Author: Christel Cao-Delebarre, Global Privacy Officer, Carlson Wagonlit Travel