Over the past few weeks, the UK Information Commissioner’s Office that enforces GDPR in the UK has been threatening fines to big companies for GDPR noncompliance.
Most notably, you may have heard about fines for British Airways (BA) and Marriott. Marriott is looking at a fine of $123 Million and BA is facing $230 million in fines. And then there has been the onslaught of complaints that have been coming in. Amazon, Facebook, and even streaming services like Netflix and Spotify are currently in the crosshairs, due to some of the ways they handle data.
The GDPR Landscape
I had a chance to discuss the current GDPR landscape in the UK is Chris Payne, who is Managing Director at Advanced Cyber Solutions in the UK. Chris also happens to be a certified GDPR practitioner.
What is important to note is that the fines have not been handed out yet. Both Marriott and BA have a few weeks to appeal the penalties laid out by the UK ICO. The point is that the fine values above may not even be the final outcome for these companies.
Chris Payne explains, "They may not even be fined. I guess it depends on the information and evidence..."
If you want to learn more on who is facing fines and where the UK ICO is in the process of handing out fines, you can check out their website. Chris says it's a great resource to get a better handle on what is happening in realtime.
The Data Protection Landscape in the US
The argument is always being made that US companies shouldn't care about the GDPR, but what is worrisome about this approach is that the Federal Trade Commission (FTC) does hand out fines for data protection offenses. Equifax and Facebook are the latest to come under fire. Facebook has been fined $5 billion, which many say will not do anything to stop their shady business practices. Facebook actually saw an increase in stock prices that exceeded $5 billion right after the fine was imposed.
As for Equifax, Equifax is settling in a lawsuit currently. If you were affected by the Equifax Breach back in 2017, you are eligible for free credit report monitoring or $125 in compensation if you already have credit monitoring. You may also claim money up to $20,000 per person for time and money lost due to setting up credit freezes in the wake of the breach.
Something Has to Give
GDPR is starting to show its teeth, although we have to wait for the first lawsuits to be sure. However, these new fines begin handed out by GDPR enforcers and the FTC mean that businesses need to start taking data protection seriously. More importantly, small and medium-sized companies can't handle fines that Facebook, Equifax, Marriott, and BA can weather. This may become a competition issue for smaller businesses.