As watchdogs bulk up budgets and staff to respond to more infringements, Tantleff said, a degree of consistency should follow. “Based solely on my own experiences … when a penalty is issued, they are smaller in nature if the organization is the party that alerts the supervisory authority,” as opposed to the authority finding out by other means, he said.
As a result of the GDPR and impending legislation in the U.S., such as the California Consumer Privacy Act, businesses have invested millions in data protection, Tantleff added. “This is an investment that would not have happened but for the GDPR,” he said.