A violation could result in fines of up to €20 million or up to 4% of the total worldwide annual turnover of the previous financial year, whichever is higher. Many violations including the non-appointment of a Data Protection Officer, are considered grossly negligent behaviour. Directors may be held personally liable with their private assets.
It took less than half a year for the first company to suffer the consequences of the GDPR: The Karlsruhe-based, provider, Knuddels, was fined €20,000 for a security breach. The grace period for companies has expired with the first round of enforcement. Now, supervisory authorities are vigilantly following-up on infringements.