The EU General Data Protection Regulation (GDPR) — the compliance regulation that caused consternation in organizations worldwide, before and after it went live on May 25, 2018 — is starting to live up to its reputation of being a fearless defender of customer data and privacy rights. As with all laws, its implications are best understood by interpreting its penalties thus far.
Let’s examine the top three notable GDPR fines to date to get an idea of what may lie ahead.
1. Brownie Points for Good Behavior: Demonstrable Efforts to Compliance Count
An unnamed German social media platform was amongst the first to be fined under the GDPR, following a breach that compromised the personal information of 330,000 users, including their passwords and email addresses.
What was interesting to note, was the €20,000 (roughly $22,812) fine was low compared to what the regulation stipulated: €10 million or 2 percent of an organization’s total worldwide annual turnover. This was because the organization made demonstrable efforts to proactively notify the breach to the German Data Protection Authorities — the LfDI — and to customers in due time.
Additionally, the “exemplary cooperation” of the company to implement the security guidelines and recommendations of the DPA helped bring down the fine.
Related Article: GDPR Is Tough and Set to Get Tougher
2. Remember the Basics: Password Encryption, Access Control Matters
While organizations are spending millions and enlisting experts to ensure “GDPR compliance,” GDPR penalties are starting to hit, like the German case above, highlighting the importance of not forgetting the basics.
An Austrian entrepreneur was fined for placing a CCTV outside his establishment as it was not sufficiently marked. The camera recorded a substantial portion of the sidewalk, a “public space.” A Portuguese hospital was fined because of inadequate account management practices, such as having five times the number of active accounts than required and giving doctors blanket access to all patient files, irrespective of the doctor's specialty.
Encrypting passwords, ensuring access control (particularly to sensitive data), and CCTV notifications may seem basic, but are often overlooked.
3. The Customer Matters the Most: Consent and Transparency
The regulators decided to up the ante this year with a €50 million fine for Google by French data regulator CNIL. This was due to Google faulting in two areas:
- Insufficient Transparency: Google failed in obtaining valid consent to obtain and process data because “essential information” such as the processing purposes and data storage periods were “disseminated across several documents.”
- Vague Consent Agreements: Google’s blanket consent agreements and pre-ticked account sign-ups were contrary to GDPR’s strong emphasis that consent should be “granular, freely given, informed and must involve affirmative action.”
Of all the GDPR articles, these two — the Right to Be Forgotten and Privacy by Design and by Default — are amongst the most significant. Build customer consent and data processing transparency into the center of your user design and experience. Actively seek customer consent with clear affirmative action and opt-ins.
Related Article: German Regulators Order Facebook to Change Data Collection Practices
4. Location of the Decision Makers Matters, Not Where Your HQ Is Based
Another takeaway from the Google case is that HQ/server location (outside the jurisdiction of the GDPR), doesn’t matter as much as the location where the decisions concerning the data processing are taken. For instance, Google Ireland was largely responsible for administrative, accounting and tax matters, while Google LLC (located in the US) was responsible for the decision regarding the EU data processing.
End of the GDPR Amnesty
The increase in fines signals that the amnesty period for implementing the regulations is over. Organizations cannot be complacent about data security, customer privacy, data policies and more. They cannot excuse themselves based on the location of their headquarters/servers, or as in the case of the Portuguese hospital, usage of a government-provided IT system. The onus is on the company to be proactive in ensuring that customer’s data is well and truly protected.