On May 25th the European GDPR regulations come into place, at which point investigations will start.
You will be investigated if somebody complains. For example if somebody has asked for their data to be removed from their systems and then you get an email from one of the sales team that is holding your data on a spreadsheet.
Or you will be investigated if you have a data breach.
In the days before GDPR (for example, as I write) the process and fines are not really defined. The great thing about GDPR is that the rules are laid out and you HAVE to follow them. Fine is €20 Million or 4% of revenue.
This article is great at laying out those rules and you can get more from our experience, we also have a free deck that might help you.
How as a Small Business We Became GDPR Compliant http://www.social-experts.net/small-business-became-gdpr-compliant/ via @DigitalLeadersA
After a breach, controllers have 72 hours to alert regulators and must notify people at risk “without undue delay.” Processors are expected to notify the controller ASAP if they detect the breach first. More importantly, EU regulators want to see that your company (whether you’re the controller or processor) did everything reasonably possible to prevent the incursion and protect personal data. They’ll focus on your cybersecurity processes – what you say you do – and governance – how you track and enforce execution of these processes.