The article 29 Data Protection Working Party (WP29) has issued guidelines on “the application and setting of administrative fines for the purposes of the Regulation 2016/679”. These guidelines contain an assessment criteria setting the levels for issuing administrative fines taking a risk based approach into account.
Aiming for an effective risk management effort should be key for any business to be in control, treating risk to be within the risk appetite of management, as well as to mitigate any administrative fines issued to the business by the authorities and data protection agencies.
Even though rumor says, that the data protection agencies will follow a somewhat pragmatic approach for a start (after May 25th, 2018), the price tags for infringements of the regulation are interesting (or rather scary) seen from a management perspective.
https://www.linkedin.com/pulse/gdpr-sanctions-mitigating-factors-michael-christensen/
Well said. In this risk management, do we want to raise the bar of compliance to have some well deserved peace of mind or adopt a higher risk tolerance with minimal or no effort in approaching compliance hoping a regulator or individual will never challenge your organisation's practices?
Not all regulators or individuals are pragmatic. You may have the resources in testing such level of understanding through legal processes.