That amounted to a 12.6 per cent increase from the period from 25 May 2018 to 27 January 2019, the firm noted, which had an average of 247 breach notifications per day.

That said, it would be “unwise to assume” that low and infrequent fines will be the norm going forward, DLA posited.

“Supervisory authorities across Europe have been staffing up their enforcement teams and getting to grips with the new regime. It takes time to build a robust case to justify higher fines. We expect to see more multimillion euro fines in the coming year,” it wrote.

“Fines certainly aren’t the only potential exposure for organisations which fall short of GDPR’s exacting requirements. Supervisory authorities enjoy a wide range of powers to impose other sanctions including in some countries’ ability to publicly name and shame the wrongdoer.”

There is also an increased risk of “follow-on” compensation claims, DLA continued, such as group litigation “which [follows] a regulatory finding of liability”.

“Litigation funders have billions of euros available to fund claims and – where local civil procedure rules permit – are becoming increasingly active pursuing group litigation claims for large groups of affected individuals on the basis of alleged breaches of GDPR and data protection laws,” it said.

“Recent UK group litigation claims based on data protection law infringements would be very familiar to US class action lawyers.”

VIEW ALL

In conversation with Lawyers Weekly, DLA Piper IP and technology partner Nicholas Boyle said that the potential financial impact of GDPR means it will be critical for in-house teams in Europe to work closely with the business to understand and implement measures to comply with the requirements of GDPR.

“Privacy, cyber and information security are at the top of the list for both the executive teams and boards of corporates, which means that compliance in these areas is a key focus for businesses, and in-house counsel have an opportunity and responsibility to be trusted advisers on these issues,” he said.

“In particular, in-house counsel should emphasise that privacy compliance is an organisation-wide matter – for example, everyone in the organisation should receive regular training, and it isn’t just something [that] can be addressed by IT departments installing additional software or configuring systems in a particular way.”

When asked if there are any specific lessons for Australian legal counsel, Mr Boyle said that the increasing penalties and increased enforcement approach in Europe “should be an indication that it is likely that in the near to medium term there will be increasing enforcement action (and consequences) under the Australian privacy regime”.

“Dealing with this type of regulatory environment is already a reality for many Australian businesses that have operations in Europe or are tech-based businesses with a global customer base, and indeed, it is not dissimilar to other areas of regulation domestically in the wake of the Hayne royal commission,” he explained.

“In-house teams in Australia should, like their European counterparts, be making the case that privacy compliance is an organisation-wide issue, and that protecting the privacy of individuals should [be] considered in every aspect of an organisation’s business – from product design, to sales and services processes, to responding to customer complaints, and HR and employment processes.

“If faced with some form of regulatory action, organisations will be in a better position if they can demonstrate that they have actively and earnestly engaged with their regulatory obligations and implemented systems and processes, even where a breach has occurred, relative to those organisations that have treated privacy compliance as an afterthought, or a ‘tick a box’ exercise that simply requires an external-facing privacy policy.”