In May, the digital world was awash in privacy practice notifications that inundated users on websites and in email inboxes. This wave came as companies doing business in the European Union prepared for the implementation deadline of the General Data Protection Regulation. Talking heads fueled a media frenzy of speculation regarding when EU supervisory authorities would issue their first GDPR fines and who would be in their crosshairs.
Current events heightened the attention on these issues, as the world saw the announcement of several significant data breaches at companies including social media behemoths Facebook and Google. Analysts and compliance officials continue to watch regulators closely, anticipating that the first fines will arrive before the year is out. Several banks have been among the companies to suffer a breach in recent months, and the financial services industry will be keenly focused on how regulators address them. Fortunately, many financial organizations have established effective security operations centers and built experience in complying with the Payment Card Industry Data Security Standard, which puts them on solid footing as they strive for compliance with GDPR.
It might seem curious for the world’s attention to focus on this regulatory apparatus, but the potential magnitude of GDPR sanctions leaves everyone waiting with bated breath. The progressive penalty scheme threatens sanctions with magnitudes capped only by the annual revenue of the violating firm.
Those found guilty of the most serious violations may find themselves slapped with a fine that maxes out at 2 million euros or 4 percent of the firm’s worldwide revenue, whichever is larger. Let’s put that in perspective. Google’s total revenue last year was over $110 billion. If EU regulators chose to send a serious message to the firm after the recent Google+ breach, they could assess a fine as high as $4.4 billion. Similarly, Facebook’s 2017 revenue of over $40 billion leaves it vulnerable to GDPR fines of up to $1.6 billion after the company inadvertently disclosed the private information of millions of users.
Where the Finance Industry Stands on GDPR Compliance
At this point, businesses affected by GDPR have more questions than answers. Will social media giants such as Facebook or Google find themselves the target of the first major GDPR fine? Or will the honor of the first penalty land on a different company — a financial firm, perhaps? Will EU authorities use their early actions as a way to drive home the fact that they claim global jurisdiction over the personal information of EU residents? Privacy and compliance specialists are waiting with the rest of us to learn the answers to these questions.
Although we haven’t yet seen a fine, we did see the first GDPR enforcement action issued by the U.K. Information Commissioner’s Office back in September. This action targeted Canadian analytics firm AggregateIQ, alleging that the firm engaged in business practices that violated the privacy rights of U.K. subjects. The ICO has not yet assessed a fine for this action, pending the outcome of an appeal filed by the firm. However, the fact that the first GDPR enforcement action targeted a North American company does leave us with some insight into the fact that the EU definitely intends to enforce GDPR against foreign corporations.
The bottom line is that U.S. companies that were adopting a wait-and-see attitude toward GDPR compliance are now on notice. The law is real, and regulators are taking their responsibility seriously. Now is the time to conduct a careful review of privacy practices and ensure that information belonging to EU residents is handled in a manner that is consistent with the principles of GDPR.
This blog brought to you by: