With the introduction in May 2018 of the European Union’s (EU) General Data Protection Regulation (GDPR), 2019 was expected to be the year of enforcement, with regulators using extended powers to set a higher bar for managing individuals’ data.
Regulatory activity certainly increased in 2019 compared to previous years. Some headline-grabbing fines were issued, with social media giants being notable recipients of some of that attention. However, the widespread use of ‘mega-fines’ did not materialise, according to research by leading cyber insurer Beazley. What was evident in 2019 was a more varied than expected approach to enforcing the new rules by different regulators.
The latest Beazley Breach Insights report analyses the actions of data protection regulators across the EU in 2019 and the impact on organisations based elsewhere that are nonetheless subject to the rules through their business structure or customer base.
While fines handed out by the Information Commissioner’s Office (ICO) in the UK have been relatively rare, other European regulators have been more active. GDPR fines have been issued more regularly across Belgium, Bulgaria, France, Germany, Greece, Hungary, Italy, Lithuania, Netherlands, Norway, Poland, Romania, Spain, and Sweden.
Katherine Keefe, head of Beazley Breach Response Services said:
“In the first full year of the GDPR we have noted a varied approach to enforcing data protection rules by EU regulators alongside a general rise in regulatory activity.
“The extraterritorial provisions within the GDPR means organisations in the US and other non-EU territories may be subject to the GDPR due to having either customers or offices in countries subject to the rules. “It is, therefore, all the more important that they track the enforcement developments to understand how they could be affected. Knowing how to manage and report a cyber breach helps organisations to both prevent and recover from an incident and avoid a sizeable fine if the breach is mishandled.”