Since the introduction of the European Union’s General Data Protection Regulation (GDPR) in May of 2018, they have handed out $330.5 million in fines with $192 million in the past year alone. As the GDPR regulation grows in maturity, regulators are growing tougher with their fines. Breach notifications are on the rise, as they have increased 19 percent over the past 12 months. Germany leads the way with 66,527 breach notifications and Italy has had the least with 3,460. Germany, France, and Italy are the top 3 countries that have imposed fines, with a combined $234 million since GDPR was enacted.
With the impact of COVID-19, organizations have been fortunate to have their fines drop significantly with the promise to improve their security posture. Marriott saw their fine reduced to $25 million from the original $123 million during a breach that lasted over 4 years and resulted in the compromise of 339 million guest’s information. British Airways saw their fine reduced to $27 million from the original $230 million as a result of personal data of over 400 thousand customers being stolen when their website redirected to a fraudulent one which collected personal details of customers. This went undetected for over 2 months. The pandemic has provided temporary relief on some fines, but this isn’t permanent. Organizations need to ensure they are following GDPR regulations or it is going to cost them in large-scale fines.
The 4 potential sources of privacy protection are markets, technology, self or co-regulation, and law. GDPR has taken the traditional approach of law to enforce privacy and data protection. With GDPR fines only increasing and being strictly enforced, it does show that laws do not necessarily mean the result will be increased privacy and security. The best piece of advice for organizations having to follow GDPR guidelines is to err on the side of caution, as fines and cumulative damage claims are only going to rise. As GDPR matures and evolves, there may be new, stricter regulations released in the future.