Cybersecurity Dive: GDPR Regulators are Sinking Their Teeth into Violators. 2020’s Fines are Proof.

January 28, 2021

O’Melveny counsel John Dermody spoke with Cybersecurity Dive on how data protection authorities (DPAs) are bolstering budgets to increase oversight and enforcement actions for GDPR violations. 

“Since GDPR was enacted in May 2018, EU data privacy watchdogs have issued just over US$332 million in fines,” the publication reported. DPAs don’t always clarify why or how they calculate their fines, however.

Additionally, DPAs have targeted most of their attention at US-based companies. “There are legitimate criticisms that this is unfair headhunting, but it also reflects a desire by data protection authorities to use big name cases to broadly influence the practices of industry,” said Dermody. 

One notable action taken against a US-based company was the Ireland Data Protection Commission’s US$547,000 fine against Twitter for failing to notify customers of a breach within 72 hours and for insufficiently documenting its “effects and the remedial action” following the occurrence.

“Considering the attention the threat of massive fines have garnered, the cumulative penalties have so far been relatively small,” said Dermody. “That is cold comfort to those companies that have found themselves in the cross hairs of regulators and privacy advocates.”

Companies are also navigating who takes the lead on their data privacy practices, Cybersecurity Dive noted. In a recent survey, just over one-fifth of respondents said their chief privacy officer is in charge, followed by 23% who said it’s the CISO or CSO. The CEO and CIO were evenly split with 13%. 

Dermody added that left out of high-profile cases is “the daily grind of compliance,” including data access requests, internal privacy assessments, and implementing data management policies. “Privacy practices have improved, but compliance is not an end-state but rather a constant process.”

Read the full article here.