Google’s GDPR fine: a reminder that non-compliance is not an option

However, although branded the ‘largest GDPR fine to date’, the financial impact on the global technology firm will be insignificant in comparison to the maximum fines reaching 4% of annual turnover. With annual revenue equating to over £100 billion last year, the £44 million fine is 100 times smaller than the maximum - which should help put it in perspective for other organisations. Whether Google wins the appeal to avert the fine or not, it is important to remember the compliance goalposts remain unchanged. Rather, the incident demonstrates that authorities can stand against these ‘untouchable’ global corporations to ensure data subject rights are met.

A key point to remember is the guidance that resonates throughout the legislation: implement appropriate technological and organisational controls for the data you process. Google, as a global, multi-billion dollar company with a business model based on processing data will have higher levels of security standards expected of it compared to other organisations. This does not mean smaller enterprises can disregard data protection; rather they can be pragmatic and risk conscientious based on the nature of their processing. A company that predominantly engages in business-to-business transactions, while likely to require less effort in their everyday activities than an organisation with a consumer focus, would still prioritise the handling of personal data for internal HR processes for example.

For any organisation, getting the basic foundations of their GDPR programme accurate and complete can help address these non-compliance issues. Article 30 requires a complete personal data processing inventory that outlines important information such as the nature of the processing, lawful basis and retention periods.  By clarifying these important points, it is possible to identify where consent is required for various purposes. Further, it clearly maps out what needs to be included in the privacy notice.

At a higher level, it can provide the basis for a vulnerability assessment to identify where to prioritise efforts. This initial analysis should translate into a layered approach of appropriate data protection controls, ensuring they can be demonstrated and justified, based on risk, to the individual.  On implementation of appropriate controls, the implications on the individual if the personal data was breached need to be considered. Data such as religion and ethnic origin can create prejudice, judgment and potential risk of abuse if it is exposed and therefore requires strong access restrictions to be applied, which may also necessitate anonymisation techniques.  These levels of controls are neither appropriate nor practical for personal data that is less sensitive.

There are various access governance and segregation of duties tools that can help towards GDPR compliance. Through the development of a GDPR access rule-set, various data privacy access risks can be defined, which provides full visibility of who violates the various data privacy risks and whether this access is lawful. These can be assigned to varying risk levels so that the organisation can implement appropriate mitigating controls based on the risk to the individual. To ensure on-going compliance objectives are being met, a process should be implemented to review and monitor these control activities on a periodic basis.

In summary, the GDPR objective remains unchanged: to protect the rights of individuals when processing personal data. Rather than seeing the Google fine as a scaremongering tactic: it should educate other organisations to ensure they don’t fall into the same non-compliance concerns.

If you want to learn more, why not check out our comprehensive guide on Privacy by Design for the GDPR? Just click on the image below.