In the case of violation or non-implementation of the new regulation, or non-preparedness for it, obliged entities may face heavy fines which, in many cases, may lead to liquidation.
Following the example of the competition law, the GDPR introduces fines several times higher than we have been used to. They are capped at €20,000,000 or 4% of the company’s total annual turnover (the higher of the two) and will depend on a number of factors such as the nature, severity, and duration of the breach, the number of citizens affected and the extent of the damage, the steps taken by the controller or processor to mitigate the damage, the category of personal data affected by the breach, and many others.
It is important to highlight that the maximum fine can be imposed on both a small company with five employees or a large multinational corporation, if such company fails to take the necessary steps to comply with the principles and obligations under the GDPR.
Personal data are the name, gender, age and date of birth, and civil status, but also the IP address and any photographic record. In the case of an individual entrepreneur, this includes company information, such as an e-mail address, telephone number, or the various identification data issued by the state.
Special categories include: information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation, and criminal offences or convictions.
According to the regulation, sensitive data are genetic data, biometric data, and the personal data of children. These are subject to much stricter rules.
The GDPR imposes the obligation for data controllers and processors (regardless of their size or number of employees) to put in place technical, organisational, and procedural measures to demonstrate compliance with the principles of the GDPR.
Implementation of deliberate and necessary data protection
Preparation of a data protection impact assessment (DPIA)
Appointment of a Data Protection Officer (DPO)
Introduction of the so-called pseudonymisation of personal data
Keeping records on processing activities
Consultation with the supervisory authority before the actual processing of personal data