Some high-profile cases have already been brought under GDPR (the General Data Protect Regulation), most notably the £44 million fine against Google in January 2019. But this wasn’t the first time a company has fallen foul of GDPR compliance for business, nor will it be the last.
As the world’s largest tech giant and a company whose name is synonymous with using data to optimise online experiences, the Google fine is particularly noteworthy. The question now isn’t simply what does this mean for Google – but what effect will this have globally?
Under GDPR, businesses dealing with European consumers must ensure that they have adequate permissions to collect, manage and store sensitive information. Furthermore, consumers have the right to be forgotten – meaning that consumers can ask businesses to retrieve (and remove) all information held on them. Should an organisation fail to comply, it risks being in breach of GDPR.
Perhaps to emphasise just how serious the European commission is taking GDPR and data security, the fines for data breach are particularly hefty – up to 4% of a business’ global annual turnover. Perhaps Google can be considered to have got off lightly then, as 4% of their annual global turnover would have meant a fine of £3 billion instead of the £44 million fine they received.
The regulator CNIL found fault with Google on two fronts in relation to GDPR: a lack of transparency for how user data is processed, and a lack of legal consent from users for targeted advertising. Alongside this, Google’s process for how consumers opt-out of targeted advertising was found to be “neither specific or unambiguous.”
The EU may have been the first region to take data protection laws seriously, but it’s likely other countries will follow suit. In a world that is becoming more and more digitally connected, people’s personal data is becoming an increasingly valuable commodity and how it is secured and protected is becoming more important.
Pressure is mounting in the US for a national privacy law and new federal regulation on how user data is collected and used. Legislation demanding that enterprises ensure the privacy of their users and employees will soon be a requirement to enter the marketplace, and businesses will soon market themselves as good stewards of the data with which they have been entrusted.
Ultimately, the latest penalty for GDPR violations is not the first such fine, nor will it be the last. It is a portent of what is to come: privacy regulation is here to stay, and how businesses handle their customers/users data will be increasingly important.