In July 2019, UK Information Commissioner’s Office (ICO) announced its intention to fine two companies for violating the European Union’s General Data Protection Regulation (GDPR). ICO began by disclosing its intention to penalize British Airways in the amount of £183 million (approximately $224 million) on 8 July. This fine followed on the heels of a September 2018 incident in which bad actors redirected user traffic to a fraudulent website that harvested the personal and account information of about 500,000 customers. Just a day after that, the independent authority revealed its plan to fine Marriott International £99 million (about $124 million) after a November 2018 incident exposed the records of 339 million guests, including 30 million individuals living in the European Economic Area (EEA).

Taken at face value, these fines represent significant penalties. But that’s not the case when one compares them to the affected companies’ overall revenue. As revealed by The Verge and CPO Magazine, the fines represented just 1.5 percent of both British Airways’ and Marriott International’s respective global annual turnover in the last few years.

This finding begs the question: are these fines high enough to produce meaningful change in these organizations’ security policies and procedures?

Tripwire created a series of Twitter polls to find out. Overall, these surveys revealed that most people don’t think the GDPR fines will have a meaningful impact on digital security. Let’s examine these results in greater detail below.

Too Little Fines and Too Little Change

Tripwire first asked what participants thought about these fines’ relative monetary amounts. A little less than half (43 percent) felt that that the amounts were appropriate. However, approximately the same number of individuals (42 percent) said that the penalties were too little, with just 12 percent saying they were too much.