What if the supervisory authority contacts me?

Always respond, and as quickly as possible. Usually it concerns a question following a complaint. Demonstrate which measures you've taken and cooperate with the procedure. A cooperative attitude is taken into account in the assessment.

Can I receive a fine without warning?

That is unusual. Most supervisory authorities start with a request for information or a warning. But if you don't respond or if the infringement is serious, a fine can be imposed directly.

How high are fines in practice for SMEs?

Fines for SMEs range from a few thousand to tens of thousands of euros. The Belgian DPA has imposed fines from 2,000 to 50,000 euros on smaller organisations. The Dutch DPA applies comparable amounts.

Ignoring the Regulator Costs Money | Avoiding GDPR Fines

Ignoring a request from the data protection authority is one of the most expensive mistakes a business owner can make. This article explains what happens when the regulator contacts you.

It usually starts with a complaint

Most enforcement procedures don’t start with a random inspection, but with a complaint. A customer who can’t get their data deleted. A former employee who wants access to their personnel file. A website visitor who files a complaint about tracking without consent.

The supervisory authority takes up the complaint and contacts you.

What happens if you don’t respond

The worst thing you can do is not respond. The authority first sends a request for information. If you ignore it:

Reminder - you receive a second request, with a clear deadline
Formal notice - if silence continues, a formal notice follows
Penalty or fine - the authority can impose a periodic penalty (a daily increasing amount) or a direct fine

The fine for non-cooperation is on top of any fine for the original infringement. You are only making the problem bigger.

What the authority expects from you

With a request for information, the authority typically asks for:

An explanation of the situation
Evidence of the measures you’ve taken
Your record of processing activities
Your privacy policy
Relevant data processing agreements

If your GDPR file is in order, you can deliver this quickly. If you have nothing, it becomes a stressful and expensive exercise.

Cooperation works in your favour

Supervisory authorities take your attitude into account. A business that:

Responds promptly to the request
Is transparent about the situation
Takes measures to resolve the problem
Can produce documentation

typically receives a milder assessment than one that ignores, denies, or obstructs.

Prevention is cheaper than cure

The cost of GDPR compliance is a fraction of the cost of a fine, legal assistance, and reputational damage. A GDPRWise subscription costs less than an hour of legal advice, and your file is in order.

auto_awesome Make sure you're prepared

With GDPRWise your record of processing activities, privacy policy, and dossiers are ready when the regulator calls.

Start your free scan