Fines imposed under the European Union’s General Data Protection Regulation have been relatively low and infrequent. But companies need to prepare for bigger penalties as authorities throughout Europe bolster enforcement efforts and clarify how fines are calculated and imposed. 

“As things develop, as years go by and those holes are understood, it’s going to get harder for those companies to say, ‘We didn’t really understand or know,’” said Kevin Levy, a partner at GrayRobinson’s Miami office who chairs the firm’s technology transactions practice.