Fines imposed under the European Union's General Data Protection Regulation have been relatively low and infrequent. But companies need to prepare for bigger penalties as authorities throughout Europe bolster enforcement efforts and clarify how fines are calculated and imposed. 

"As things develop, as years go by and those holes are understood, it's going to get harder for those companies to say, 'We didn't really understand or know,'" said Kevin Levy, a partner at GrayRobinson's Miami office who chairs the firm's technology transactions practice. 

Since the GDPR took effect in May 2018, data protection regulators have imposed about $126 million in total reported fines, "which is quite low given that supervisory authorities enjoy the power to fine up to 4% of total worldwide annual turnover the preceding financial year," according to a new survey from DLA Piper.