this post was submitted on 13 Feb 2026
7 points (100.0% liked)
General Data Protection Regulation (“GDPR”) ⚖
1385 readers
2 users here now
Everything related to the #GDPR is discussed here. This is the first and only community specifically for GDPR topics which is decentralized and outside of walled-gardens. #EDPB recommendations and guidance can and should also be discussed here.
For the moment, chatter on the similar California Consumer Privacy Act (CCPA) could be discussed at least until the volume of messages compels us to split it into a separate community.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
And the end result is public services suffer.
Imagine a school gets fined ÂŁ100k. A small amount in the vast scheme of things, but an amount that could cripple a school financially. Education provision would suffer and the end result would be special measures instituted by the Department for Education to provide emergency funding.
Absolutely nobody benefits from a fine. Everyone loses.
Bad public services should be defunded. From there, data subjects benefit from the restructuring, which ensures the GDPR is taken seriously. The incompetent lose. They get shown the door. The people benefit from the money (which does not disappear) going to public services that respect their rights.
There is also deterrance. A DPO for a school who knows they could become responsible for the school losing funding due to their negligence will act more responsibly. The boss of the DPO who also knows a fine is possible will hire a qualified DPO, as opposed to a clown. When a data subject makes a GDPR request, the DPO and school won’t laugh at it (which is what happens now).
It sounds like you have selected a suboptimal amount, by your own admission.
Privacy is a human right. Throwing human rights under the bus harms the data subjects. Data subjects benefit from effective GDPR enforcement. In the EU, such a circumstance harms the whole EU because the protection is not uniform. The GDPR becomes spotty, hit and miss.. unreliable.
We don't disagree entirely.
But having worked in the public sector i can tell you that whilst fining organisations like schools that are already on their knees financially might sound good in theory, the reality is much different.
The alternative that you allude to is holding DPOs personally liable for breaches and non-compliance. Again nice in theory but in practice it means that in most cases you're holding one person responsible for the actions of someone else.
My org had a high impact breach a couple of months ago. Caused by a part time administrator in an understaffed, overworked team making a very simple and careless mistake.
They'd had their training, they'd been told to double check everything as it "went out the door". But they're human and they fucked up.
Fining us would accomplish nothing. It wouldn't teach the DPO a lesson - they've done everything the law requires. The only outcome that would have any sort of deterrent effect would be to fire the hapless admin person. That deterrent effect would last all of 5 minutes until someone hapless individual somewhere else made a mistake.
This is where GDPR collides with employment law and the real world.
I doubt it’s legal to hold someone personally liable. I know a bar owner who would do a money grab on his bartender’s paycheck whenever he did something objectionable. I don’t think that was legal, nor would I suggest it.
The main purpose of a legal person is to shield natural persons from lawsuits. The DPA would be fining the public agency as a whole.
The public agency should of course internally attribute the DPO’s failures to the DPO. From there, I doubt it would be legal to do an instant money grab on the DPO. But there are of course legally sound corrective actions. If the DPO is an outside agency, it’s simple to outsource to another provider of DPO services. If it’s a direct employee, they can be sacked or reassigned a different role. They could be given a pay cut in the future, like at their next annual appraisal, at which point they can decide whether to accept the new terms. They could be required to attend training. It’s a management issue.
A breach is not in itself an infringement by a data controller. But if the data controller was negligent in their infosec and not up to GDPR standards which is then attributed to the breach, then the negligence would be an infringement.
Without having the details I can only figure that if the DPO did everything the law requires, then a conviction and penalty has no merit in the 1st place.
And without knowing about your org, I cannot judge whether resources are being sensibly allocated. It sounds like GDPR compliance has an low priority there (which actually makes sense if the org is legally immune to GDPR fines anyway).
Just really picking up on the last part.
GDPR is taken incredibly seriously here. But human error is the leading cause of breaches and in a situation you have teams that are grossly understaffed then mistakes will happen. A fine wouldn't deter it.
The only real solution is to hire more staff and share the workload. But there isnt any money so 🤷
The DPA is not limited to fines. A DPA can give advice, issue warnings, and orders. A DPA is unlikely to use a heavy-handed but simultaneously ineffective or inappropriate tool for enforcement. The DPA also has discretion in the amount of the fine. The law at hand w.r.t this thread disempowers the DPA from fines -- which would be increasingly important for repeat offenders.
I think it’s far-fetched to suggest that a DPA would ruin or sink a school. But it would be sensible for the penalty limit to be lower for public data controllers if that concern is realistic. There could also be an imposed leniency on 1st time offences.