Tech, E-Commerce, and Social Media Hit With Highest Data Privacy Penalties

Since 2020 alone, more than 2,700 data privacy fines have been levied globally, extracting at least €6,6 billion, according to NCC Group.

When the European Union’s General Data Protection Regulation (GDPR) first went mainstream in 2016, the sweeping nature of data privacy mandates left many organizations breathless. GDPR also had other government bodies wondering if they were too far behind technology advances or behavioral shifts to enact similar measures.

It’s different now. According to NCC Group’s Global Cyber Policy Radar, public-sector agencies worldwide now regularly pass stringent mandates on data privacy and related areas, such as cybersecurity, online safety, and artificial intelligence.

These rules of the road are necessary to ensure that the technologies are safe and secure to use. However, for organizations operating across national borders, multiple industries, and different technologies, navigating them is set to be a complex challenge for some time to come.

For example, for data privacy, analysis of worldwide fines reveals startling differences between where and within which sectors sanctions are issued.

Only 72 penalties were levied in the United States, while UK organizations got hit with just 14. By contrast, Spain racked up more than 840 fines. Meanwhile, Ireland is being most forceful against technology conglomerates in particular—the 20 fines it levied in this sector represent at least a third of the sanctions in this vertical, which chalked up a bill of approximately €2,5 billion.

Related:Data Privacy Quick Reference Guide

Overall, tech, e-commerce, and social media firms, are getting slapped with the steepest penalties. The public sector, which faces significant challenges with legacy technology, is the largest area of global enforcement – although this only results in a penalty in one in three cases. Moreover, when it does result in a penalty, fines are comparatively small.

One major obstacle to full compliance is that the rules are often complex and overlapping. Navigating this rocky terrain is difficult even with the best intentions and budget, even as high-level executives like security chiefs become targeted in government enforcement. That makes the regulatory environment everyone’s priority, and the C-suite especially must stay fully informed of the constant updates and other changes in the regulatory landscape.

NCC Group draws on ongoing research with a global client and employee base to offer insight into policy and regulatory shifts. The report also includes NCC Group analysis of international data collated by OneTrust into data privacy fines.

Related:Data Privacy Quiz: 20 Questions To Test Your Knowledge