by Ian Heritage
We’ve been waiting some time for European GDPR regulators to flex their muscles since the legislation came into force at the end of May 2018. Well, now they have, after Google was handed a €50m (£44m) fine in France. Although this particular case revolved around privacy and transparency over how consumers’ information is used, rather than data security, it clearly serves as a warning notice for firms, wherever they are.
In light of the judgement, IT and data protection teams should be redoubling their compliance efforts. As we predicted in December, a maximum 4% fine is still on the cards for this year, and the next one could be for a major data breach.
French regulator CNIL issued the massive fine after complaints on behalf of their members by two rights groups. One was filed on the very day the GDPR came into force, highlighting both the determination of campaigners to ensure the law is upheld, and the sheer time it takes investigators to gather all the evidence before decisions can be made. Coming just ahead of Monday’s EU Data Protection Day, it was well-timed.
CNIL said there were two breaches of the GDPR. Google violated the obligation of transparency because “essential information” on how ads are personalised was hard to locate, far from comprehensive and spread out across multiple documents. Secondly, Google was judged not to have a legal basis to process data for ad personalisation because user consent was not validly obtained — again because it was so hard to locate the relevant info. A further error Google made was pre-ticking a box so that users had to opt out of personalised advertising.
This case was primarily focused on privacy and transparency. But it should serve as a warning to any organisation not taking the GDPR seriously enough. While the ICO has in the past reassured businesses that it is not looking to make an example out of them, it’s now clear that obvious transgressions will be punished, especially by larger organisations. So what next?
There’s much for compliance teams to cover. But from a data protection perspective, organisations must start by understanding what data they process and where it flows through the organisation, classifying it according to the risk it could pose if compromised. Then it’s time to map security controls and processes to that data to mitigate risk. The good news for many IT and data protection leaders is that if you already complied with the previous regime, you’ll have a good foundation to build on.
No technologies aside from pseudonymisation and encryption are named in the GDPR. That’s deliberate, to ensure the legislation remains relevant as tech evolves. But it can also render the law somewhat nebulous.
That’s why industry best practices are key to effective compliance. Follow frameworks like ISO 27001 and the UK government’s Cyber Essentials to prove to regulators you have your customers’ best interests at heart. NIST’s 800-53 publication can also help, documenting areas like access controls, audit and accountability, configuration management, authentication, systems & comms protection, and system & information integrity.
One key principle to bear in mind as you do this is data minimisation. Organisations have grown used to keeping hold of customer and employee data. Much of it is no longer of any use and represents nothing but an unnecessary security risk. If your initial data audit is effective, you should be able to pare this data right down, reducing risk and compliance effort in the process.
Most importantly, your GDPR compliance efforts will need to evolve over time. Organisations that simple “tick the box” and move on may find themselves in for a rude awakening as the regulators start to get tough on enforcement. The GDPR honeymoon period appears to be over.