I was just speaking with a colleague about the news that Google has been fined the largest penalty to date for failing to comply with GDPR obligations. The penalty was around $56 million USD, but  the Marriott data breach penalty is estimated to be around $1 billion. Why such a discrepancy between the two? 

That $56 million penalty was issued due to how Google leverages user data and its failure to provide adequate information about consent policies. In contrast, Marriott had a massive data breach that went undetected for around 4 years with hundreds of million guest records affected.     

Of course, the $1 billion number makes for good headlines and it’s likely the worst-case scenario, but it’s only speculation at this point. In fact, we are yet to see if Google will even pay its $56 million penalty. Other uncertainties include whether insurance will cover GDPR penalties. We’ll have to see how that shakes out. There is no clear answer on this yet and experts seem to disagree. 

I can say with some certainty that businesses leaders who didn’t think that GDPR applied to their organization need to take notice. GDPR like regulations are headed our way. California was the first to pass legislation that many believe will become a U.S. version of GDPR, called the California Consumer Privacy Act of 2018. In addition, HITRUST has combined GDPR into the HITRUST Cybersecurity Framework (HITRUST HSF).   

Concerns about data privacy aren’t going away any time soon. Complying with security and data privacy obligations isn’t easy and penalties are turning out to be significant. Capable companies like Google are evidence of that.  I’ve consulted my Magic 8-Ball to see if there will be larger GDPR penalties making the news this year. Its response: “It is decidedly so.”