When the European Union (EU) passed the General Data Protection Regulation (GDPR) in 2018 with an enforcement date of May 2019, it was expected that many companies would be facing significant fines when they revealed they were breached. As it turns out it hasn’t been as big as many analysts feared.
Passed in 2016 and going into effect in May 2018, the GDPR was designed as an upgrade to previous privacy laws. Corporations based in or doing significant business in Europe had to provide significant investment in protecting their client’s data as privacy concerns began to creep in. This regulation allows customers to withhold their data and delete their own data at their request. If a breach were to happen, the company in question was to alert their customers within 72 hours and be subject to a significant fine equal to up to 4% of the value of the company.
But despite this, there hasn’t been any mega fines other than British Airways when their customer processing server was breached. There have been smaller enforcements in the various countries in the EU, but the larger scale fines have been rare to almost nonexistent.
Katherine Keefe, head of Beazley Breach Response Services, said: “In the first full year of the GDPR we have noted a varied approach to enforcing data protection rules by EU regulators alongside a general rise in regulatory activity. The extraterritorial provisions within the GDPR means organizations in the US and other non-EU territories may be subject to the GDPR due to having either customers or offices in countries subject to the rules. It is therefore all the more important that they track the enforcement developments to understand how they could be affected. Knowing how to manage and report a cyber breach helps organizations to both prevent and recover from an incident and avoid a sizeable fine if the breach is mishandled.”
As businesses adapt to the new regulations, smaller companies should take the time review their cyber procedures and continue to monitor their various accounts in order to avoid the damages promised in the GDPR and other similar regulation.