EU Regulatory Update

Enforcement actions from European Union (EU) data protection authorities (DPAs) in 2020 underscored how DPAs are implementing the GDPR and member state policies in determining breach-related fines. Although DPAs began actions in response to data breach notifications, in some instances investigations resulted in GDPR non-compliance fines unrelated to the data breaches themselves, demonstrating that a breach may expose an organization to a DPA’s examination of its entire GDPR compliance program.

DPA enforcement actions in 2020 drew particular attention to a number of mitigating factors in determining fines, and we expect these to be of continuing relevance this year:

  • financial hardship, including the impact of the COVID-19 pandemic on the industry;
  • actions taken by the organization to minimize potential harm to individuals;
  • full cooperation with the DPA during investigation (although not all DPAs view cooperation as a mitigating factor);
  • appropriate notice to the regulator and individuals;
  • other fines already imposed and costs incurred in relation to the same incident; and
  • an absence of prior violations.

As more countries implement mandatory breach notification procedures, we anticipate that regulatory enforcement will expand throughout 2021.

16

notices to 8 different EU DPAs


2

investigations remain open

Share this page