Independent Supervisory Authorities and European Data Protection Board

Information on the ISA and EDPB is covered in detail in my comprehensive Guide to GDPR.

Data Breaches

A data breach is simply an intentional or unintentional release of secure or private information.

If a breach occurs, the Data Controller is obliged to notify the competent Supervisory Authority within 72 hours after becoming aware of the data breach. That is, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subjects. If the supervisory authority is not notified within 72 hours, the controller needs to provide reasons for the delay.

Furthermore, the Data Controller must communicate as soon as possible the breach to the data subject if it is likely to result in a high risk to the rights and freedoms of natural persons.

WILL I be fined?

Only if you pay no attention to your customers’ complaints, warnings from the EU and blatantly ignore compliance. The same would happen if you ignored tax or health & safety compliance.

You will first become known to the Supervisory Authority. They will then “audit” your processes and assess your compliance. From there, they will establish if an infringement of the Regulation has taken place.

Further information on infringement and assessment criteria is covered in detail in my comprehensive Guide to GDPR.

You have to be very blatant about your ignorance of the Regulation in order to attract attention and hefty administrative fines.

The maximum administrative fine will be up to 20 million Euros or 4% of the worldwide annual turnover of the preceding financial year (whichever is higher) potentially against both data controllers and data processors.

For less egregious breaches, the maximum fine is 10 million Euros or 2% of the worldwide annual turnover of the preceding financial year.

If you would like further in-depth information on the GDPR please feel free to download my comprehensive Guide to GDPR. You will also receive limited follow-up support and gain access to a DATA AUDIT WORKBOOK, a CONSENT CHECKLIST and a GDPR CHECKLIST.

Next up is GDPR Part 8 – What YOU can do NOW
Previous – GDPR Part 6 – Data Protection Principles


Please note: The GDPR series of articles on this blog do not promise to be either a full synopsis or full interpretation of the GDPR. Indeed I have simply taken the most important aspects of the GDPR I feel are relevant to the small business owner. Everything you read online about the GDPR will be some kind of an interpretation, synopsis or summary of the GDPR. Unless, of course, you read the full text in itself.

Pin It on Pinterest