When GDPR first went into effect in May 2018, people talked about horror stories of fines to the tune of 4% of a company’s total global revenue.
Then reality hit and there were no fines or tiny fines. Or so it seemed.
The problem with regulators is that it always takes them a while.
Legitimately, you do want them to make sure that they only issuing fines when appropriate.
This week we have two big fines on the horizon.
The UK Information Commissioner’s Office (ICO) has decided to fine Marriott 99 million Pounds Sterling or roughly $125 million for the Starwood breach. While not the end of the world for a company like Marriott and it is even possible that they have insurance to cover some or all of that, Marriott is fighting it. (Source: BBC).
Also in the UK, The ICO decided to fine British Airways 183 million Pounds Sterling or about $225 million for a website breach that affected about a half million people. That represents 1.5% of their global revenue for 2017. Source: BBC.
Some people were hoping that the various data protection authorities were going to be all bark and no fine, but reality is a little different.
We have already seen many smaller fines. But it is all relative. A Polish taxi cab company was fined 160,000 Euros for failing to delete data that they could not justify why they retained it. 160,000 Euros for a taxi company might be harder to swallow than 183 Pounds for BA.
And from the scuttlebutt, what we hear is expect many more fines during 2019 and 2020 as the authorities ramp up their staff and complete investigations. As of January of this year, authorities had received about 60,000 complaints (Source: Law.com). Helen Dixon, the Irish Data Protection Commissioner, had 29 people on her staff in 2015 – before GDPR. Ireland is where companies like Facebook have their European HQs due to tax reasons. Helen has a staff of 133 right now with 30 openings and is anticipating adding more staff in 2020.
Companies big and small should not plan on flying under the radar because even if one of the data protection authorities don’t single you out, if your users are among those 60,000 complaints — you still could wind up being investigated.