This is a guest post from Patrick O’Kane, lawyer (UK barrister), Data Protection Officer for a US Fortune 500 company, and author of GDPR: fix it fast – How to apply GDPR to your company in ten simple steps.
“It’s too early to say!” quipped the Chinese Premier in 1972 when he was asked about the effects of the French Revolution in 1789.
It may be too early to say how hard regulators across the EU will penalize ordinary companies for breaching the EU General Data Protection Regulation (‘GDPR’)., but last week we saw the first shot across the bow. The French CNIL fined Google 50 million Euros, which finally broke the dam. The fine was levied under GDPR for "lack of transparency, inadequate information and lack of valid consent regarding ads personalization".
GDPR came into effect on 25th May 2018. It is a data regulation nonpareil - arguably the most-hyped compliance regulation for a generation.
Regardless, some of the GDPR hype has died down.
At the pinnacle of the hype, GDPR was more of a phenomenon than a compliance regulation. At one stage it was reported that it had outranked Beyonce on Google Search.
Consumers received emails from needy companies asking them to consent to marketing. GDPR ‘consultants’ of all shapes and sizes filled the marketplace. London lawyers promised to salve our GDPR anxiety if only we retained their services
And then…. nothing. By July 2018, it seemed to have slipped off may board agendas.
The Other GDPR fines
As you know, the maximum fine under GDPR is €20 million or 4% of a company’s global turnover (whichever is greater).
Some of the GDPR fines levied by Regulators have been tame. Before the Google action, post GDPR-fines have been scarce, and they have not been headline-grabbing. For example:
A German social media company was fined €20,000. The company had been hacked and 808,000 email addresses were compromised.
An Austrian retail company was fined €4,800 fine after its CCTV captured too much of the public sidewalk.
A Portuguese hospital was fined €400,000 after hospital staff illegally accessed patient records.
The Google fine – 3 takeaways
One: Level of the fine – Google’s data protection law breach was not the most heinous we have seen. Essentially, Google have received a €50m fine for a lack of transparency and for sub-standard consents.
Two: It’s not just about data security anymore – In the old days the big fines were reserved for data security incidents. That time has passed. We now know less impactful breaches of GDPR can attract fines in the tens of millions.
Three: They are going after the big boys –The Google fine shows that EU Regulators will be taking a much more aggressive stance against major corporations.
What should you do now?
It might be your last chance to get your own data governance in order. Right now you should:
Build the foundation – Create a data inventory. Find out where your data is and what you are doing with it.
Assess the risk – Create a risk register that details what your main risks are on personal data compliance. This will assist you in determining what your urgent priorities are in terms of getting on the right side of GDPR.
Train your staff – Staff are at the root of many data security breaches. Assess your staff training gaps and fill them.
Contracts – When you entrust business partners and vendors with your personal data then GDPR demands that certain clauses must go into the contracts. Make sure your contracts include these clauses.
Now is the time to push your company to get on the right side of GDPR.
Patrick O’Kane is a lawyer (UK barrister) and Data Protection Officer for a US Fortune 500 company. He is the author of GDPR: fix it fast – How to apply GDPR to your company in ten simple steps.