GDPR fines levied so far: The lessons businesses can learn
Enforcement of the General Data Protection Regulation (GDPR) went into effect May 25, 2018. In the approximate span of one year since that date, European data protection authorities confirm that almost 90,000 separate data breach notifications have been received. Note, that's just the notifications received from organization's attempting to comply with the GDPR. Those same data protection authorities report that during the same year almost 145,000 complaints and inquiries have been reported by concerned citizens.
While European data protection authorities are less forthcoming regarding the collection of fines levied under the GDPR, several third-party investigations suggest that at least 100 organizations have paid fines for failing to fully comply with the regulation. By analyzing the higher profile fines, business enterprises may be able to glean vital information regarding the future application of the GDPR to their organizations.
SEE: GDPR: A guide for tech and business leaders (free PDF) (TechRepublic)
Lessons learned from GDPR fines at the one-year anniversary
Since May 2018, data protection authorities in Europe have levied several high-profile and high-denomination fines against companies for violating provisions of the GDPR:
Lesson 1: It does not matter to the European data protection authorities whether violations of the provisions of the GDPR are unintentional mistakes stemming from neglect, laziness, sloppiness, or ignorance. A violation for any reason is punishable and businesses had better take compliance with the GDPR seriously.
Lesson 2: Willful, deliberate, and blatant violations of the provisions of the GDPR will receive the harshest of fines from European data protection authorities. Businesses who attempt to test the resolve of the regulatory authorities will pay dearly for their arrogance.
Lesson 3: The provisions of the GDPR, particularly amongst citizens of the EU, are well-known and individuals who feel those provisions have been violated are more than willing to report offending behavior to the data protection authorities. Unscrupulous businesses who count on the ignorance or passiveness of individuals are likely to pay a heavy price for that cynical attitude to personal data security and protection.
SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)
One more high-profile fine lends itself to another lesson for businesses:
Lesson 4: While serious violations of the provisions of the GDPR are still subject to fines, timely reporting of security breaches to data protection authorities and quick action to reduce the risk of exposure of personal data by violating businesses could reduce levied fines significantly. All businesses handling sensitive personal data should have appropriate security and compliance policies in place to mitigate the risk from GDPR violations.
SEE: GDPR resource kit: Tools to become compliant (Tech Pro Research)
The fines levied by the European data protection authorities during the first year of GDPR enforcement reveal one simple fact: The GDPR is real, enforceable, and applies to every business collecting, storing, and processing sensitive personal data. Compliance is not optional. Businesses risk significant, and possibly going concern ending, fines and penalties for non-compliance.