It came to light yesterday that Uber had paid hackers to conceal a hack that affected 57 million customers and drivers.
The GDPR, which comes into play in the UK and Europe next year, are designed specifically to deal with such occurrences.
"Uber would have had to notify the regulator within 72 hours of being aware of the hack – not the year or so in this case," Dean Armstrong, cyber law barrister at Setfords Solicitors said. "As Uber hasn't released its figures we can't speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations, it would likely be in the tens of millions."
Nevertheless, Armstrong believes that the greater to cost to Uber would still be in terms of reputation.
"Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers. This will simply encourage them further and result in more attempts to steal personal data from organisations," he said.
Just because the hack occurred in North America will not excuse Uber if it had happened after GDPR had come into play, Armstrong warned: "The regulations will apply to any EU citizen's data. Assuming that at least some of the 50 million records hacked were of EU citizens, then under the new rules GDPR would potentially see Uber punished under EU regulation."
If Uber wants to continue to operate in Europe next year it needs to "come clean".
"It has much work ahead of it, but perhaps this lesson will finally signal to other organisations that law-makers, and the public have had enough of poor data protection provision," Armstrong concluded.