If the GDPR is not complied with, damages from the following areas may occur:
- Damage due to avoidable data loss,
- Penalties by the authority (reasonable and effective, up to 20 million euros or 4% of annual worldwide turnover),
- Claims for damages by affected parties (including attorney’s fees for enforcement),
- Damage to the company’s reputation if a data protection incident becomes known; and
- Damage caused by incorrect reactions of untrained or poorly trained employees.
In companies we have consulted, there have always been processes that have made data loss likely. In several cases, this data loss would have meant the ruin of the company – completely without GDPR. The implementation of the GDPR is an opportunity to minimize risks and achieve greater operational security with manageable and often cost-effective measures.
Article 83 describes how authorities may punish. Measures taken to comply with the GDPR and minimize potential harm to data subjects reduce potential penalties. However, it is explicitly required that penalties be effective.
There is no “official” information on penalties imposed for Austria (as of November 2018), but it seems that around EUR 500-5,000 in penalties are imposed for “minor offenses” by SMEs. In comparison, in the UK ‘s Heathrow Airport fined 120,000 GBP because an employee lost an unprotected memory stick containing confidential information.
The GDPR gives data subjects the right to compensation. Damages may also arise from legal fees.
The GDPR has also raised public awareness of data protection. Data protection errors are increasingly in the news. The news that a company has slacked on data protection can be devastating for its reputation. A single employee who is not sensitive to data protection can cause great damage as a result.