European regulators wielded General Data Protection Regulation fines judiciously in the first 20 months after the law went into effect in May 2018. Nonetheless, a sharp increase during that period implies decreasing leniency, with legal and cyber experts predicting stricter enforcement to ensure companies comply with privacy requirements.
While still relatively low in volume, the number of GDPR fines increased 39% at the back end of the 20-month period between May 25, 2019 and January 27, 2020, according to a report from DLA Piper. Organizations required to comply with GDPR reported 160,921 personal data breaches to data protection supervisory authorities in that same timeframe.
That said, “organizations should in particular note the extent of fines levied by regulators for infringements that do not relate to data breaches," said Alex Jordan, senior analyst at the Information Security Forum (ISF). "Regulators are equally likely to fine an organization for failing to uphold data protection principles in the GDPR, such as transparency and lawful basis for processing, as they are for failing to secure personal data appropriately.”
That the fines imposed are not only for a real breach but also for regulation infringements indicate that "the regulators have understood that they have a sharp tool at hand, and it seems they use it wisely,” said Dirk Schrader, global vice president at New Net Technologies.
Pre-GDPR enforcement, organizations feared that regulators would use a heavy hand, doling out staggering fines. But that has yet to come to pass. “All the fears prior to GDPR coming into force were unnecessary,” said Schrader. “Fines are not handed out like crazy, regulators have a measured approach when it comes to evaluating a case, and there is no wave of reports.”
Still, U.S. companies with a global presence have felt the brunt of regulators' displeasure. The highest GDPR fine so far – $57 million – has been imposed on Google by French regulators, though Marriott may have to pony up $123 million.
“Given the scale of American companies and the volume of data they often collect, this explains why they have been levied some of the largest fines so far,” said Rehan Jalil, CEO at Securiti.
Jordan said that while the fines applied so far are "nowhere near their maximum threshold,” some discrepancies “still exist between regulators as to the extent of fines, reducing operational consistency for organizations operating across multiple jurisdictions.”
That raises questions as to why penalties aren’t harsher.
“In some scenarios, appeals against fines have been successful," said Jordan, who pointed to the United Kingdom's decision to reduce two major fines by over 80 percent following appeals. "It is possible that prompt notification of data breaches, and cooperation with the regulator have played a part in staying the regulators’ hands."
And though regulators have been conservative in imposing fines, that’s likely to change. Substantial fines of up to 4% of annual sales are still a very real possibility.
"Now is not the time to become lax around data protection," said Jordan. "Just because a regulator hasn’t tested the limits of the GDPR, doesn’t mean they won’t do so in the future. In fact, if the history of EU enforcement actions is anything to go by, the data protection regulators are just getting started."
The slow start in fines is likely due at least in part to delays in GDPR enforcement coming online, but this is clearly evolving.
"Data privacy has become a lightning rod for both consumers and governments, so we can expect more, not less enforcement of GDPR and similar legislations,” said Jalil. “Fines will also increase, not decrease."
Compliance is the only way to avoid fines, he continued, “which means companies must have processes and procedures in place to discover and catalogue regulated data in their possession, continuously monitor for inappropriate access and implement security controls to prevent exfiltration. "