Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.
Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.
In light of these recent developments, companies that are required to comply with the GDPR should continue efforts to meet the applicable standards, or potentially risk facing severe fines. They also should assess their service providers’ processes and controls to ensure that the service providers similarly comply with GDPR standards.
The resolution of the proposed fines will help provide guidance for other companies in their pursuit of compliance and adequate privacy and security practices. The ICO has already made itself clear on how quickly and forcefully it will act in its own pursuit of GDPR accountability.