> On 26 May 2018, at 21:04, Rob McEwen <r...@invaluement.com> wrote: > > Thanks for the clarification. But whether that fine will be less than 10M is > extremely vague and (I guess?) left up to the opinions or whims of a Euro > bureaucrat or judge panel, or something like that... based on very vague and > subjective criteria. I've searched and nobody can seem to find any more > specifics or assurances. Therefore, there is NOTHING that a very small > business with a very small data breach or mistake, could point to... to give > them confidence than their fine will be any less than 10M Euros, other than > that "up to" wording - that is in the same sentence where it also clarifies > "whichever is larger". > > All these people in this discussion who are expressing opinions that > penalties in such situations won't be nearly so bad - are expressing what may > very with be "wishful thinking" that isn't rooted in reality.
Still on ec.europa.eu <http://ec.europa.eu/> they seem to try to reassure SMEs that the penalties will be “proportionate” both to the nature of the infringement and to the size to the company. It also seem to largely be related to whether you infringed the regulation in good faith or not. At least in France where I live the climate is pro-SMEs so I guess small mistakes will be forgiven. The head of our DPA also gave an interview recently saying that there will be no sanctions in the coming months and that they’re available to answer questions when in doubt about what to do. Lastly, our law firm told us that basically we have to wait until the first settlements to see what will be done… Regards, Michel
