The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018 and continues to be updated and discussed.
How does the GDPR affect you?
The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized companies. If you are dealing with clients who have operations in the European Union, data related to EU citizens could be subject to GDPR privacy and security laws; you need to be aware of the protocols. The European Union has created a checklist for US companies with operations in Europe: https://gdpr.eu/compliance-checklist-us-companies/
Events We Are Seeing
In 2020, regulatory fines for data breaches under the General Data Protection Regulation increased 39% in Europe to €158.5 million ($192.5 million), according to new research from law firm DLA Piper LLP. The company said regulators “tested their powers” under the GDPR in 2020 after a slow start during the regulation’s first 20 months when fines totaled €114 million. Total fines levied since the GDPR was introduced in May 2018 now stand at €272 million, with five country regulators accounting for more than 92% of the total, according to DLA Piper.
- Italy has imposed the highest fines at €69.3 million, followed by Germany at €69.1 million and France at €54.4 million. The UK has imposed €44.2 million of fines and Spain €14.5 million. The French data protection regulator CNIL has levied the largest GDPR fine to date, of €50 million against Google LLC.
- The report says there were 281,000 data breaches notified to European regulators under the GDPR by the end of January 2021. Germany has the most at 77,747, followed by the Netherlands at 66,527 and the U.K. at 30,536. France and Italy recorded just 5,389 and 3,460 data breach notifications, respectively.
DLA Piper said that while regulators are flexing their new muscle under the GDPR, they have also had several cases appealed or fines reduced. Last month, Austria’s postal service successfully appealed an €18 million data breach fine. Meanwhile in the U.K., the Information Commissioner’s Office reduced a record fine of £183 million ($251.1 million) against British Airways (BA) to £20m. It also slashed a proposed fine of £100m against hotel chain Marriott International to just over £18m.
Takeaways
While these fines seem extremely daunting, it shows that the European Union has gone to great lengths to protect its constituents. If you have clients that have operations in Europe, chances are there could be data protection protocols that are needed.