Posted In: Cybersecurity & Data Privacy
By Craig S. Horbus & Jarman J. Smith on April 14, 2021
The European Union (EU) has begun taking an aggressive approach toward privacy law enforcement. Since the enactment of the General Data Privacy Regulation (GDPR) in 2018, the EU has fined companies over $330 million for breaching data protections regulations.1 As the number of data use violations continue to increase, we can expect the number of penalties and fines issued against non-compliant actors to continue to grow as well.
Cybersecurity insurers have warned that the number of claims filed over data breaches and cybersecurity threats is soaring to record highs. As data breaches become more frequent, supervising authorities are relying heavily on monetary fines as their primary enforcement mechanism. Fines levied under GPDR totaled nearly $200 million from January of 2020 to January of 2021, representing almost a 40% rise over the previous 20-month period.2 Moreover, within that year-long window, data-compliance regulators were notified of more than 121,000 data breaches concerning businesses covered by the GDPR, representing an increase of nearly 20% from the preceding 20-month period.3
The highest financial penalty recorded for infringement of data protection laws to date is $56.6 million4. This penalty was imposed by the French data protection regulator on technology giant Google back in 2019 for alleged violations of GDPR’s transparency and consent requirements.5 This regulatory response to data violations indicates that there may be increasingly tougher enforcement actions to come, as regulators have begun adopting strict interpretations of GDPR.
The growth in GDPR enforcement comes as the number of corporate victims to cybersecurity breaches and data hacks continues to rise. As a result, many of the GDPR fines imposed have been against companies that mishandle data breaches. For instance, in December of 2020, Twitter was fined over $500,000 for failing to disclose a data breach involving a program error where certain protected tweets were exposed to the general public.6 Twitter’s half-million-dollar penalty was the first case of a cross-border enforcement action brought against a tech company, thus reinforcing the notion that the reach of GDPR does not stop in Europe.
How to Avoid GDPR Fines
We can expect the trend toward increasingly tough enforcement actions to continue into the foreseeable future. Thus, to avoid substantial GDPR fines and penalties, it is becoming progressively more important for businesses to become fully GDPR compliant. As a starting point toward GDPR compliance and penalty avoidance, your organization should do the following:
- Consult with professionals experienced in the area of privacy law and data protection, including GDPR, the Personal Information and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA). As of January 2021, over 130 jurisdictions now have data privacy laws.7
- Become familiar with the key concepts and articles within the GDPR. For instance, Article 5 discusses principles related to the processing of personal data, Article 6 discusses lawful bases of personal data processing, Articles 12 through 22 discuss the rights of data subjects, and Articles 25 and 32 discuss the necessary protection measures to protect the personal data of the data subject. Also, to properly understand GDPR, you will need to learn the definitions for its key concepts, including:
- Data Subjects – a natural person whose personal data is processed by a controller or processor;
- Data Controllers – the entity that determines the purposes, conditions, and means of the processing of personal data;
- Data Processors – the entity that processes data on behalf of the Data Controller; and
- Personal Data – any information related to a natural person or Data Subject that can be used to identify the person directly or indirectly.
- Take initial steps toward privacy compliance by , reviewing and updating privacy policies to better inform consumers of their rights in relation to your organization’s data processing, data mapping those processes, and training employees on the basic principles of privacy law.
- Schedule regular audits of data processing activities and cybersecurity controls in your organization. You should keep updated records of personal data processing, ensure that data is protected from hacking, and delete data that is no longer necessary for your organization’s data processing purposes.
- Make adjustments to your websites. Some relevant adjustments include updating opt-in forms to allow contacts to select which communications options they would like to subscribe to and gathering cookie consent by informing visitors about the purpose of cookies and trackers before setting anything other than strictly necessary cookies.
- Consider additional GDPR compliance issues such as data transfer and disclosure requirements, Data Protection Impact Assessments (DPIAs), Legitimate Interests Assessments (LIAs), the appointment of Data Protections Officers (DPOs), and the processing of children’s and other sensitive data.
Privacy regulations are complex pieces of work; therefore it is difficult for organizations to understand these regulations and implement the policies needed to avoid penalties for noncompliance. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to develop an understanding of basic privacy law principles and to become compliant with regulations like GDPR. Along with providing general guidance through the complexities of data privacy laws and regulations, we also provide proactive solutions for companies to defend against cyber-attacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2021 Brouse McDowell. All rights reserved.