While there hasn’t been significant fines to date under GDPR since its implementation, experts predict that larger GDPR fines are likely pending. Why might larger fines be on the horizon? Below, we’ll share the perspectives of several experts.
The State of GDPR Fines
There have been 91 reported fines and over 59,000 personal data breach notifications across Europe, according to a recent report from global law firm, DLA Piper. The largest issued to-date was the $57 million fine slapped on Google by France’s National Data Protection Commission for improper processing of personal data for advertising purposes. To learn more about the latest status of GDPR penalties and fines, check out this article.
Why GDPR Fines Are Expected to Increase
According to Ross McKean, U.K.-based partner at DLA Piper who was interviewed for the SearchSecurity article, companies can expect to see more fines and greater penalties as the regulators work their way through the backlog of reported incidents and conclude investigations.
In fact, according to Ms. Dixon, the lead GDPR regulator for U.S. tech companies that have their European headquarters in Ireland, the Irish regulator has 51-large scale privacy investigations open, including 17 involving tech companies such as Facebook and Apple.
These GDPR fines are expected to affect organizations of all sizes, not just the tech giants.
Regulators want to take their time to ensure their decisions are legally robust before they impose more significant fines. They also want to make sure the fines pack a punch and can act as a deterrent.
So, should companies scale up or scale back their GDPR investments?
Marc French, senior vice president and chief trust officer at Mimecast, cautions that every organization has to assess its own risks, but “it would be unwise to go back to zero.”
The core tenet of GDPR is for companies to know the data they have and to make sure they are processing it correctly and securely. Thus, it’s essential for all organizations to understand what data they own, create a risk profile, and put the right security controls in place based on the value of the data they collect. In fact, many CISOs have welcomed GDPR because it has given them a regulatory rationale for gaining additional investments for security, according to French.
Additionally, with the upcoming spread of GDPR-like laws across the U.S., such as the Consumer Privacy Act in California, experts are anticipating more companies upping their investment in compliance, cybersecurity, and wider privacy controls.
What’s the Bottom Line?
GDPR is just the starting point. If your company does business in the U.S., before the end of this year, you will need to understand the requirements of the California Consumer Privacy Act (taking effect in January 2020)—and potentially a variety of state-specific data protection laws—and think through what your organization needs to do to be ready for them.
It’s not too early to start your compliance planning now and implement an agile solution that helps your organization rally toward compliance, avoid fines, and safeguard its reputation. To see how a compliance management solution can help you achieve these goals, talk to Hyperproof.