Dive Brief:
- Regulators have issued more than $1.7 billion (1.5 billion euros at current exchange rates) in General Data Protection Regulation (GDPR) fines since it went into effect in May 2018, according to data from EnforcementTracker.com. Fines exceeded $1.4 billion last year, accounting for more than 80% of total fines.
- Across the 949 fines levied, data processing violations have proven most costly to organizations, accounting for one in five violations and almost in $875 million fines.
- Industry and commerce accounts for the most fines levied, 212, followed by media, telecommunications and broadcasting (166 fines), and transportation and energy (45 fines).
Dive Insight:
Almost four years into GDPR, it took regulators time to find their footing to pursue violations. While the fines initially appear steep, it's fairly common for EU data protection authorities (DPAs) to reduce initial fines. For example, The U.K.'s Information Commissioner's Office (ICO) lowered Marriott International's fine, originally at $124 million (99 million pounds), to $23.8 million for the breach it disclosed in 2018.
The number of privacy violations still exceeds what regulators can enforce. In 2021, GDPR regulators were notified of more than 130,000 personal data breaches, according to data from DLA Piper. On average, regulators received 356 breaches per day in 2021, an 8% year-over-year increase from 2020.
While a federal data privacy law for the U.S. remains out of reach, compliance with the California Consumer Privacy Act (CCPA) is still a challenge. Only 11% of companies fully meet the regulation's standards, according to research from Cytrio. The report is based on a study of 5,175 U.S. companies with revenues between $25 million and surpassing $5 billion over a six-month period.
Of those companies, 45% relied on manual operations — including email and web forms — to respond to data requests.
Gartner predicted privacy-related spending will exceed $8 billion this year, a fraction of what is spent on security.
Data privacy compliance is an ongoing process, not a one-and-done task. Privacy requires a constant commitment from the business as data travels and accumulates. And in an incident, security and privacy teams share the responsibility of damage control.
The chief privacy officer's (CPO) responsibilities, according to Michael Ehrlich, CTO at IronNet, include:
- Understanding what data the company can collect and why
- Understanding how companies should store data and for how long
- Outlining scenarios for why and when certain data should be accessible
- Outlining limitations on how data is used and when data should be destroyed
This is "all in an effort to meet federal and state level data privacy regulations, and be able to make those policies auditable for regulatory purposes," Ehrlich said. CPOs do not have responsibility in database selection or storage costs, both of which fall under the purview of the CIO. The security of the databases and audit access belong to the CISO. And how to destroy data is a responsibility shared between the CIO and CISO.
"In many companies the CISO becomes the de facto CPO," said Ehrlich, "as organizations assume that since the CISO understands how to protect systems and data, they should also somehow know what data they need to protect."
Gartner predicts by the end of the year more than 1 million organizations will have a privacy or data protection officer. In 2018, when GDPR began, only "a few thousand" privacy officers existed globally.
The CPO alleviates CIOs and CISOs of certain burdens, namely regulator compliance. Companies are finding greater reason to adopt a CPO "as the public becomes increasingly aware of the lengths that companies go to gather private information," and then sell it to other parties, said Ehrlich.