It’s not the first time, nor will it be the last. On 21 January 2019, a business was found guilty of breaching the General Data Protect Regulation (GDPR) and now faces a financial penalty as a result. This is a similar story to what we’ve continually witnessed in the headlines since the implementation of GDPR in May 2018. So why is this case any different? This time, the business in question was Google.
The formula remains the same – company X breaches Y regulation and is therefore fined Z amount. But the fact of the matter is that, in this particular situation, it wasn’t just any company breaching GDPR. It was a tech giant, one whose name is synonymous with using data to provide us with information and optimise our experiences. And it’s not just a standard penalty – it’s £44 million. With such a huge organisation being fined an eye-watering sum of money, the question now isn’t simply what does this mean for Google – but what effect will this have globally?
Since its inception in April 2016, GDPR has been the hot topic on almost all business agendas. With just over two years to identify, collate, and effectively store consumer data, businesses worldwide strived to adhere to the policies outlined in this new regulation ahead of its implementation in May 2018.
Under GDPR, businesses dealing with European consumers must ensure that they have adequate permissions to collect, manage and store sensitive information. Furthermore, consumers have the right to be forgotten – meaning that consumers can ask businesses to retrieve (and remove) all information held on them. Should an organisation fail to comply, it risks being in breach of GDPR.
As a result of GDPR, the world has woken up to the fact that every organisation who works with European customers or business partners must protect any sensitive information, or be held accountable if they don’t.
Unlike previous regulations, GDPR has real teeth. Any direct financial losses resulting from lost or stolen sensitive data will be compounded by hefty fines of up to 4% of a business’ global annual turnover. And that’s precisely what we’re seeing with Google.
Earlier this year, French regulator CNIL found fault with Google on two fronts in relation to GDPR: a lack of transparency for how user data is processed, and a lack of legal consent from users for targeted advertising. Alongside this, Google’s process for how consumers opt-out of targeted advertising was found to be “neither specific or unambiguous.”
The ripple effect
Granted, the penalty for Google is not as severe as it could have been — a maximum fine of 4 per cent of global revenue would have been more than £3 billion. But the exact amount of the penalty is not the key element here – it’s the growing number of penalties being handed out by regulatory agencies.
Since the first fine under GDPR was issued in Austria in October for €4,800, the financial costs have been rising. A German social-media company was fined €20,000 for mishandling of passwords and a Portuguese hospital was fined €400,000 for allowing non-medical staff access to patient medical records. Google is not merely the latest in this recent run of fines, but it is also by far the largest.
And as the fines escalate, so does the power of GDPR and data privacy regulation – and not only in Europe. Pressure is mounting in the United States for a national privacy law: various privacy advocacy groups, several major corporations, and at least three U.S. Senators have all proposed different frameworks as a foundation for new federal regulation on how user data is collected and used. Legislation demanding that enterprises ensure the privacy of their users and employees will soon be a requirement to enter the marketplace, and businesses will soon market themselves as good stewards of the data with which they have been entrusted.
To do this, organisations must ensure they have an overview of how sensitive data is being stored, managed and accessed. Identity governance allows organisations to answer the critical questions of who has access to what, who should have access and what they’re doing with that access, addressing the policies outlined by GDPR.
Ultimately, the latest penalty for GDPR violations is not the first such fine, nor will it be the last. It is a portent of what is to come: privacy regulation is here to stay.
Mike Kiser, Security Strategist and Evangelist at SailPoint
- Also check out the best antivirus to keep your devices protected from the latest cyber threats