Privacy experts: Expect larger GDPR fines

Risk managers and cybersecurity executives can anticipate larger fines for failing to comply with Europe's General Data Protection Regulation.

Fines are not the only punishment European regulators can enforce on a company that fails to comply with its General Data Protection Regulation, which is now a year old. (Photo: Shutterstock)

Just shy of one year into the European Union’s General Data Protection Regulation, companies and their risk managers should double-check they are keeping up with the law or face fines and other punishments, according to experts.

The GDPR was implemented May 25, 2018. In its first year, fines were not as large as anticipated.

Todd Marlin, a principal and forensic data analytics and data science leader at Ernst & Young, said the average fine has been approximately 70,000 euros (or $78,152 ). He expects the fines to grow in size as time goes on.

“The largest fine has been 50 million euros (or just over $55.8 million), which is pretty small considering the regulation’s standards,” Marlin said.

The smaller fines are a result of an unofficial grace period from European regulators, said Odia Kagan, a partner a Fox Rothschild in Philadelphia and chair of that law firm’s GDPR compliance and international privacy practice.

Kagan also said larger fines and other punishments are coming.

“The regulators that were interviewed prior to the implementation of GDPR have said they’re not going to enforce the new obligations right away,” Kagan said.

Kagan added that it takes time to go through the process of finalizing those large fines. In January, Google was slapped with a $57 million fine from the French regulator. It took some time for the regulator to investigate the complaint and issue a fine considering the complaint against Google was among the first made when the GDPR was implemented.

The fines are not the worst kind of punishment European regulators can enforce on a company. Kagan said if regulators are notified about a breach and find companies did not do enough to protect the data, they can tell a company it has 90 days to remedy the situation or the company faces not being able to use the data that it collects.

“Companies can just pay the fine because they make more money than the fine,” Kagan said. “If they’re told they can’t use the data; that is big.”

Going forward, European regulators will want to see continued compliance rather than just having boxes checked, Kagan said.

One of the ongoing challenges is that corporations will have to remain compliant with the GDPR while focusing on new privacy regulations from different jurisdictions.

Marlin said companies have to decide how to proceed. Whether they want to remain compliant with just the GDPR may make sense in the immediate future, but is not a good long-term plan. Data protection, Marlin said, has become more than just a legal issue.

“It is an ongoing business process. Data never sleeps,” Marlin said. “More and more jurisdictions are coming out with privacy statutes.”

This article first published on our sister site, law.com.

See also: