GDPR taken more seriously after first fines
Over the last three months we see that the data protection regulators across Europe started to impose fines. It was considered that the first big fines under the General Data Protection Regulation will get organisations to take the new rules more seriously. Is this finally happening?
A recent survey poll among the Twitter followers of the security firm Tripwire shows that 43% considered the GDPR fines for British Airways and Marriott International “appropriate”, 42% considered it lower than what it should be, while only 12% thought the penalties were too high. The users are mainly security specialists, the authors claim.
The reason for this survey is the two recent GDPR fines issued by the UK ICO, both quite hefty. In July 2019, the ICO announced its intention to fine British Airways £183m in connection with an incident in September 2018 when bad actors redirected user traffic to a fraudulent website that harvested the personal and account information of about 500,000 customers. On the next day ICO announced that it planned to fine Marriott International £99m in connection with a November 2018 data breach that exposed personal data contained in approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA), including seven million in the UK.
The survey revealed that the security professionals did not believe the fines would necessarily drive any change in company policies and practices, especially in the light of the fact that they represent only around 1.5% of annual turnover for British Airways and Marriott International.
Only 25% said the fines were likely to change policies and practices, a similar proportion (22%) said they believed there would be no change, while 52% said there would be some change, but not enough. Only 29% said the fines made them more confident about their personal data privacy.
However, the most positive indication from the Twitter poll was that 60% said they believed the fines would cause their organisation to take the GDPR more seriously.
A separate recent survey revealed that almost a third of European businesses are still not compliant with the GDPR, but there are encouraging signs of increased maturity in data protection, with the new rules driving better, business-supporting practices.