Some organisations sprang into action, mapping their data flows, polishing up policies, rolling out training and so on. Others took a much more relaxed approach – after all, they had managed to fly under the radar of regulatory scrutiny before, so why should the GDPR change that?
With the regulation having been in place for over two years now, data protection regulators have had time to get into the swing of things when it comes to GDPR enforcement. How is enforcement by data protection regulators panning out? Is it really the big risk predicted – or are there bigger risks to the bottom line?
When looking at enforcement trends, although a few whopping fines have been issued, most have been relatively modest in size. There are not all that many of them either, when you consider the large quantities of security breach notifications and complaints from individuals that data protection authorities (DPAs) across Europe have been dealing with.
The reality is that DPA fines are not the biggest threat to the bottom line. The greater threat for many businesses is the loss of confidence in an organisation once a GDPR breach, often cyber security related, becomes public knowledge. This can, and regularly does, hit share prices and drive away business.