In January, Google was fined 50 million euros, or about $57 million, for violating Europe’s General Data Protection Regulation (GDPR). This was only the fourth fine against any company since GDPR took effect last May, but it was the highest-profile penalty as well as the largest fine to date.
This will not be the last penalty and will probably not remain the highest for very long.
The fine against Google was issued by France’s data protection regulator, CNIL, which charged the company with not properly disclosing to users how data is collected across its services to present personalized advertisements.
Under GDPR rules, a company can be fined up to 4% of global revenue. In Google’s case, that would have been more than $4 billion.
Lest you think Google got off easy, the company’s failure to meet GDPR compliance requirements could have a ripple effect on Google’s privacy policies and force the company to change the way it collects and uses customer data, not just among European users, but all over the world.
In this new environment of stricter enforcement, there are certain aspects of GDPR compliance that can remain pitfalls, particularly in the areas of governance, management and reporting. With help from Paola Zeni, Senior Director of Global Privacy at Palo Alto Networks, we outline three key areas of concern.
Dealing with Processors
With regard to data processing, organizations typically fall into one of two categories: controller or processor. In the past, most data privacy requirements applied only to controllers—i.e., those companies that determined the purpose and means of data processing, even though they did not carry out the processing directly.
Most GDPR provisions include requirements for both types of entities, which means many more companies can be accountable for violation of data protection principles. The regulation establishes also specific requirements that define the relationship between controllers and processors, requiring that they enter into written agreements, with very prescriptive requirements in terms of processes, governance, monitoring and enforcement, data breach reporting and other areas.
Record of Data Processing Activities
This is a completely new requirement established by GDPR. It requires that both controllers and processors maintain a record of data processing activities. It means that any organization that offers data processing services must be able to present its customers/controllers with information about what they do with their data.
“This is what a number of privacy professionals have been preaching for years—that companies need to understand and document their data flows,” says Zeni. “But the requirement was never included in a law, and therefore many entities have experienced mixed success in doing that.”
In meeting this requirement, organizations should focus on three key areas:
- Manual or automated records?
- Who owns the records and who is responsible to maintain them current?
- How does the record of data processing activities apply to new product development?
Data Protection Impact Assessment
This is another new requirement under GDPR. As with the record of data processing activities, it requires that organizations consider privacy principles such as security and data minimization when developing products and when setting up business processes, rather than thinking about privacy as an afterthought.
In fact, GDPR now requires that companies conduct a data protection impact assessment (DPIA) when adopting new technologies for personal data processing that present a high privacy risk. Zeni offers the following guidelines in meeting DPIA requirements:
- Have a clear owner.
- Ensure that processes are scalable and cross-functional.
- Create a system that monitors all processes and projects inside the company. Develop a risk score for each project.
- Merge the processes of privacy, security, procurement and IT review if these are currently separated.
- For new vendors and new projects, collect the same information that you collected for legacy vendors and applications during GDPR preparedness to ensure that information is consistent and complete.
- Train more people on privacy and do more privacy and security reviews.
If 2018 was about getting ready and understanding the new rules, 2019 is about maintaining compliance, managing risk and avoiding penalties.