There haven't been many fines under the General Data Protection Regulation since the EU data privacy law went into effect a year ago. But experts warn that will likely change.
It's been a year since the EU General Data Protection Regulation went into effect, and GDPR fines imposed on companies to date have been modest. But larger GDPR fines are on the way, experts warned.
According to Ross McKean, U.K.-based partner at global law firm DLA Piper, companies can expect to see more fines -- and sizeable ones too -- as the regulators start to get through the backlog of reported incidents and conclude investigations.
In the first eight months since the implementation of GDPR, there have been 91 reported fines and over 59,000 personal data breach notifications across Europe, a recent report from DLA Piper unveiled.
The largest GDPR fine issued so far was the $57 million fine slapped on Google by France's National Data Protection Commission for improper processing of personal data for advertising purposes. The maximum penalty for GDPR violations is $20 million euros or up to 4% of a company's annual "turnover" or revenue from the previous year; Google's annual revenue in 2018 was more than $136 billion.
"It takes time to impose more significant fines as regulators will want to ensure that decisions are legally robust," McKean said.
There has been a slow uptake in terms of administrative fines as regulators are currently inundated with breach notifications and have to prioritize them, he added.
We've seen a few fines coming through already, but there will be more to come and it won't just be in the tech sector.
Ross McKeanPartner, DLA Piper
"We've seen a few fines coming through already, but there will be more to come and it won't just be in the tech sector," McKean said. "This will have a ripple effect, which of course the regulators want. One of the key objectives of fining and sanctioning is to act as a deterrent."
According to Marc French, senior vice president and chief trust officer at Mimecast, the "modest" GDPR fines could lead companies to take new risk decisions.
"While I think the regulatory actions are good, I also don't see the big bite that was expected," French said. "It hasn't nearly been the 4% of the [annual] global turnover that was touted when GDPR went into effect in May last year ... and there is some general concern of whether companies are going to now be willing to take up more risk."
When it comes to GDPR fines, the regulators are not just going after tech behemoths. Much smaller organizations are getting fined as well, French said.
"Folks have to realize that they're still on the hook and that the regulatory agencies are looking lower down the food chain," he said. "While companies may take a risk decision to scale back on GDPR investments that they have made, it would be unwise to go back to zero."
GDPR's effect on cybersecurity
There is a "completely new paradigm" for addressing data breaches in the GDPR world, McKean said.
"You can't sweep incidents under the carpet; because of the risk of revenue-based fines, notification is the new norm," he added.
GDPR has also provided companies more visibility into the data they are collecting, French said. The core tenet of GDPR, he said, is for companies to know the data they have and to make sure they are processing it correctly -- and securely.
"Its great value to me is in understanding what you have because most information security programs are based on data and not knowing the data you have doesn't allow you to create a risk profile and actually put the right security controls based on the value of the data that you collect," he said. "GDPR [compliant] companies now have the foundational elements they need to build a good information security program because if you don't know what you have, you don't know what to protect."
GDPR has also changed the financial equation for organizations when it comes to privacy risk, McKean said. It has encouraged organizations to think holistically about privacy risks and investing in improving privacy controls and governance, he added.
"Pre-GDPR, the downside of not complying with data protection law was actually quite low for organizations with limited and low enforcement risk coupled with low fines in most countries," he said. "What GDPR has unquestionably achieved is a very significant uptick in privacy and information security spend for compliance."
Most CISOs have also welcomed GDPR because it has given them a regulatory rationale for getting additional investments for security, he added.
Justin Harvey, managing director and global incident response lead for Accenture Security, said the concept of digital trust -- between consumers and the companies that collect and use their data -- has taken off in recent years because of GDPR.
"GDPR is the right way to go with the right to be forgotten, the right to know how companies are using your data, and the right to be notified when they're selling it," Harvey said. "We're woefully behind in North America on this, and I think one of the things that need to occur in the next five to 10 years is building trust."
McKean believes the risk of fines and litigation in the U.S. has driven significant investment in cybersecurity and wider privacy controls. "We anticipate that this trend will gather pace as GDPR-like laws spread across U.S. states, such as the new Consumer Privacy Act in California," he said.
While GDPR has had a material effect on enterprise cybersecurity, French said there's still work to be done. The foundation of incident response (IR) hasn't changed much, he said, and companies haven't recognized that they need to make further investments in their IR process to get ahead of things like GDPR, he said.
"They have probably updated their runbooks to make sure that they talk to their supervisory board when they are breached," he said, "but they haven't fixed the foundational problems of having better alerts and monitoring and getting ahead of it as opposed to doing the reactive stuff."
