EU Regulatory Update
Enforcement actions from European Union (EU) data protection authorities (DPAs) in 2020 underscored how DPAs are implementing the GDPR and member state policies in determining breach-related fines. Although DPAs began actions in response to data breach notifications, in some instances investigations resulted in GDPR non-compliance fines unrelated to the data breaches themselves, demonstrating that a breach may expose an organization to a DPA’s examination of its entire GDPR compliance program.
DPA enforcement actions in 2020 drew particular attention to a number of mitigating factors in determining fines, and we expect these to be of continuing relevance this year:
- financial hardship, including the impact of the COVID-19 pandemic on the industry;
- actions taken by the organization to minimize potential harm to individuals;
- full cooperation with the DPA during investigation (although not all DPAs view cooperation as a mitigating factor);
- appropriate notice to the regulator and individuals;
- other fines already imposed and costs incurred in relation to the same incident; and
- an absence of prior violations.
As more countries implement mandatory breach notification procedures, we anticipate that regulatory enforcement will expand throughout 2021.
notices to 8 different EU DPAs
investigations remain open