This is a guest post from Patrick O’Kane, lawyer (UK barrister), Data Protection Officer for a US Fortune 500 company, and author of GDPR: fix it fast – How to apply GDPR to your company in ten simple steps.

“It’s too early to say!” quipped the Chinese Premier in 1972 when he was asked about the effects of the French Revolution in 1789.

It may be too early to say how hard regulators across the EU will penalize ordinary companies for breaching the EU General Data Protection Regulation (‘GDPR’)., but last week we saw the first shot across the bow.  The French CNIL fined Google 50 million Euros, which finally broke the dam.  The fine was levied under GDPR for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”.

GDPR came into effect on 25th May 2018. It is a data regulation nonpareil – arguably the most-hyped compliance regulation for a generation. 

Regardless, some of the GDPR hype has died down.

At the pinnacle of the hype, GDPR was more of a phenomenon than a compliance regulation. At one stage it was reported that it had outranked Beyonce on Google Search.

Consumers received emails from needy companies asking them to consent to marketing. GDPR ‘consultants’ of all shapes and sizes filled the marketplace. London lawyers promised to salve our GDPR anxiety if only we retained their services

And then…. nothing. By July 2018, it seemed to have slipped off may board agendas.

The Other GDPR fines

As you know, the maximum fine under GDPR is €20 million or 4% of a company’s global turnover (whichever is greater).

Some of the GDPR fines levied by Regulators have been tame. Before the Google action, post GDPR-fines have been scarce, and they have not been headline-grabbing. For example:

The Google fine – 3 takeaways

One: Level of the fine – Google’s data protection law breach was not the most heinous we have seen. Essentially, Google have received a €50m fine for a lack of transparency and for sub-standard consents.

Two: It’s not just about data security anymore – In the old days the big fines were reserved for data security incidents. That time has passed. We now know less impactful breaches of GDPR can attract fines in the tens of millions.

Three: They are going after the big boys –The Google fine shows that EU Regulators will be taking a much more aggressive stance against major corporations.

What should you do now?

It might be your last chance to get your own data governance in order. Right now you should:

Now is the time to push your company to get on the right side of GDPR.

Patrick O’Kane is a lawyer (UK barrister) and Data Protection Officer for a US Fortune 500 company. He is the author of GDPR: fix it fast – How to apply GDPR to your company in ten simple steps.