In July 2019, UK Information Commissioner’s Office (ICO) announced its intention to fine two companies for violating the European Union’s General Data Protection Regulation (GDPR). ICO began by disclosing its intention to penalize British Airways in the amount of £183 million (approximately $224 million) on 8 July. This fine followed on the heels of a September 2018 incident in which bad actors redirected user traffic to a fraudulent website that harvested the personal and account information of about 500,000 customers. Just a day after that, the independent authority revealed its plan to fine Marriott International £99 million (about $124 million) after a November 2018 incident exposed the records of 339 million guests, including 30 million individuals living in the European Economic Area (EEA).
Taken at face value, these fines represent significant penalties. But that’s not the case when one compares them to the affected companies’ overall revenue. As revealed by The Verge and CPO Magazine, the fines represented just 1.5 percent of both British Airways’ and Marriott International’s respective global annual turnover in the last few years.
This finding begs the question: are these fines high enough to produce meaningful change in these organizations’ security policies and procedures?
Tripwire created a series of Twitter polls to find out. Overall, these surveys revealed that most people don’t think the GDPR fines will have a meaningful impact on digital security. Let’s examine these results in greater detail below.
Too Little Fines and Too Little Change
Tripwire first asked what participants thought about these fines’ relative monetary amounts. A little less than half (43 percent) felt that that the amounts were appropriate. However, approximately the same number of individuals (42 percent) said that the penalties were too little, with just 12 percent saying they were too much.
Given these perspectives, it’s not surprising that survey participants were less than convinced that the fines would change those organizations’ security policies or practices. More than half (52 percent) said that there would be some change but not enough. Meanwhile, 22 percent said there would be absolutely no change.
It, therefore, makes sense that those GDPR fines failed to make 71 percent of respondents more confident about their data privacy.
A Positive Takeaway
Notwithstanding the results shared above, a majority of survey participants (60 percent) told Tripwire that recent fines have helped motivate their employers to take GDPR more seriously.
David Meltzer, CTO of Tripwire, admitted that it remains to be seen how or if British Airways and Marriott International will pay the fines cited above. But he noted that GDPR and data privacy regulation enforceability has caught momentum not only for organizations but also for EU member states. Hence the European Commission’s recent decision to call upon the Court of the European Union to fine both Greece and Spain at least a million euros for failing to transpose the Data Protection Law Enforcement Directive, Directive (EU) 2016/680, into national law.
In response to this growing focus on enforceability, Meltzer thinks organizations playing the waiting game on GDPR or data privacy, in general, should kick things into gear. He has a specific suggestion for how they can do this:
What’s interesting about the poll results is that while these fines might inspire more action on the companies’ parts, they don’t inspire more confidence in individuals that their personal data will be better protected. Organizations will have to continue working for their customers’ trust. Those who have put the right amount of focus in establishing best practice fundamental security measures have a head start.
Once organizations have created that baseline of fundamental security measures, they can then use those controls to achieve and automatically maintain GDPR compliance. All they need is the right solution to help streamline their efforts. Learn how Tripwire can help.