If you do not adhere to the GDPR, damage from the following areas can occur:
- Damage from evitable data loss,
- Penalties from the authority (appropriate and effective, up to €20m or 4% of your organisation’s annual global turnover),
- Indemnity claims from data subjects (also the lawyer’s fee for the enforcement),
- Reputational damage for the organisation if a data breach becomes apparent and
- Damage from the wrong response of not or badly trained staff.
In the organisations that we have been advising, there have been consistently procedures that made a data loss likely. In many cases this data loss would have caused this organisation’s ruin – completely without GDPR. The implementation of the GDPR is an opportunity to minimise risks and to achieve a better employee safety with manageable and often affordable measures.
Article 83 describes the general conditions for imposing administrative fines for the authorities. Taken measures to be GDPR compliant and minimising possible damages for the data subjects, will reduce possible penalties from the authority. It is explicitly demanded that penalties have to be operative.
There is no official information about vocalised penalties in Austria yet (November 2018) but it seems that the penalties imposed for SME were up to 500-5.000 EUR. Compared to that, the Heathrow Airport in the UK was penalised with 120.000 GBP because one employee has lost an USB memory stick with confidential information on it.
Under the GDPR the data subjects have a right to damages. Damages can also arise from a lawyer’s fee.
The awareness of the public for data protection has risen under the GDPR. Lacks in proper data protection have been reported in the media more often recently. The news about an organisation being sloppy with their data protection can be devastating for the reputation of the organisation. Just one employee that is not sensitised to data protection can cause extensive damage.