Are GDPR Fines Too Low?

According to a Twitter poll conducted by Tripwire, the fines given to companies who have broken GDPR laws are still not high enough, despite being in the millions.

The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25th, 2018, and was designed to modernise laws that protect the personal information of individuals. However, many companies, including British Airways and Marriott International, are struggling to adhere to the laws.

In 2018 there was an incident at British airways in which bad actors redirected user traffic to a fraudulent website that harvested the personal and account information of about 500,000 customers. They were fined £183m for this data breach. Marriott International also had an incident which exposed the records of 339 million guests, being fined £99m.

These are the biggest GDPR fines given so far- but they were not the full amount that could have been issued by the Information Commissioner’s Office (ICO). They both represent 1.5% of the companies’ global annual turnover- but the ICO could have opted to issue a fine of up to 4% of the same. In a poll completed by Tripwire’s twitter followers, the majority of whom work in cyber security, 45% said the fines were appropriate, however 43% said they were too low. Just 12% considered the fines too high.

This raises the question of whether these fines are high enough to produce meaningful change in these organisations’ security policies and procedures. In another poll, 53% said that they thought the fines would change organisational practices a little, but not enough.

This interesting debate relates to recent research done by Parseq which found that the majority of businesses in Britain have failed to adequately prepare for the consequences of GDPR, and struggle to satisfy the number of data requests that have been made. They also found that 35% of European firms are confused about how to monitor and hold employee data. Overall these findings suggest that firms are finding it difficult to comply with GDPR- which could explain the recent large GDPR fines given out.

The 43% of people who voted that the fines are not high enough could be concerned about their own personal data. David Meltzer, CTO of Tripwire, has suggested:

“What’s interesting about the poll results is that while these fines might inspire more action on the companies’ parts, they don’t inspire more confidence in individuals that their personal data will be better protected.”

These poll results raise questions about the effectiveness of GDPR, and whether more needs to be done to ensure that companies adhere to it. There are undoubtedly more fines on the way, and perhaps this will force businesses to take GDPR laws more seriously.

As a conveyancer, do you think firms are taking GDPR compliance serious enough? Should the fines be higher?

X