GDPR has fines:

Up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; applies to infringements such as controller and processor obligations, security of processing, record-keeping, and breach notification duties.

Up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher; applies to infringements of basic principles for processing, data subjects’ rights, and unlawful transfers of personal data to third countries or international organisations.

▲

tsimionescu 2 days ago | parent | next [-]

Sure, in principle. Have you heard of any company that suffered any significant hardship (say, stock price plummeting, personnel reductions, bankruptcy) because of one of these fines?

	▲	jamiecurle 2 days ago \| parent \| next [-]
		Specific to the UK, there's a list of enforcement actions that the Information Commissioners Office (ICO) have taken: https://ico.org.uk/action-weve-taken/enforcement/ Some went to prison, some were fined £14M and it's a mixture of small fry and big fry.
	▲	zrn900 a day ago \| parent \| prev [-]
		Big companies arent suffering any of those. But small businesses and individuals are. Just see the enforcement lists. They are fining small flower shops that sent emails to 20-30 people, some of whom subscribed to it decades ago, then forgot. Or small internet startups for missing one subscription record and whatnot. Like all other corporate moat-building efforts, GDPR has been successful in destroying small businesses in favor of big ones.

▲

dangus 2 days ago | parent | prev [-]

These fines aren’t something you’re responsible for paying by merely being breached. These are imposed for misconduct in data handling.

It’s not very hard to handle customer data in a legally compliant way, that’s why you don’t see companies deciding against retaining data.

You can do everything right and still have a data breach, and in that case nobody is fining you.