GDPR To Date – The €20M Fines and Behind the Scenes Action (1).png

GDPR To Date – The €20M Fines and Behind the Scenes Action

Circa May 24, 2018, the world as we knew it was about to end, GDPR enforcement would go into effect in 24 hours and €20M fines would surely follow. It is nearly six months later and, aside from virtually every website you go to having a new cookie and privacy policy pop-up, what has changed?

From a headline’s perspective, it is quiet; no major companies have been hit with crippling penalties or forced out of business. This lack of fanfare is not, however, an indicator that GDPR is not having an impact on contracts or how we do business. The Data Protection Authorities (DPA) are hard at work, having laid out a review and response process that for all but the most straightforward cases will require months or even years for cases to move through the process.

“For clear and simple cases, it will take some months before a fine will be issued. For other cases (the majority) it will take longer.” Marit Hansen, Unabhängiges Landeszentrum für Datenschutz (ULD)1

Pulling back the curtain on GDPR to gauge the potential penalties requires looking at each DPA’s list of investigations. For example, Austria has at least 36 new fine proceedings since May 25th and has initiated 58 investigations. Further, they have received 252 breach notifications as of October 5, 2018.If we take into account the number and relative size of the DPAs in the European Union, it becomes clear there is a slow-burning fuse that will lead to bad headlines.

Given this slow, but the inevitable march towards sanctions and fines, what is the prudent company’s proper prioritization of GDPR? As with most things – it depends. To prioritize a set of activities, you must first understand the risk and opportunity each represents. To illustrate let’s look at two use cases – M&A and vendor procurement contracts.


M&A deals require a thorough evaluation of all risk factors – including evaluating a target’s data protection status and risk. However, time is often limited, and GDPR can further complicate matters by prescribing limits on the access to documents containing private data.

Seal advanced analytics for M&A and data privacy can address both time-to-answers and access control. The pre-built analysis packs built by domain experts address up to 80% of the contract analysis requirements – significantly reducing the number of manual reviews and time required. In a recent M&A action with a Global 2000 company, Seal automated 90% of the human tasks and reduced overall completion time by 75%.


A short review of the cause of data breaches in 2018 will reveal that third-party vendors are often a factor in data breach and data loss incidents. The potential for a data breach is never good, but when the data is subject to GDPR, the risk factors require prioritization of an analysis of vendor contracts for compliance with GDPR and the company’s data protection policies.

However, many organizations are already struggling with visibility into their vendor contracts. Adding data protection analysis on top of cost-saving opportunity analysis seems unrealistic, and one or both analysis projects are differed – resulting in increased regulatory risk and no cost savings.

Seal advanced analytics for procurement is working with a Fortune 500 company, in the first month they reclaimed £5 million and targeted over £50 million in improvements to the supply chain for the first year. The Seal AI-powered analytics for Brexit and GDPR also improve risk visibility and prioritization of projects for the high-value human resources.

The two use cases illustrate that while GDPR may not be a company’s singular priority, it is changing the contract review process. Companies are using technology to reduce risk – including Seal AI-powered analytics – which helps limit data exposure and speeds time-to-answers.

To learn more about Seal advanced analytics for Brexit, GDPR, M&A, Procurement and more, please <Click Here> or contact us for a demo.