February 7, 2019
France, the country known for great wine and good food, can now also be known for something else, heavy GDPR fines.
Recently, France’s National Data Protection commission imposed a $57 Million (50 million euros) fine on Google for violating the GDPR regulations based on Google’s apparent inadequate privacy and data collection practices. The commission stated, “The amount decided, and the publicity of the fine is justified by the severity of the infringements observed regarding the essential principles of GDPR: transparency, information, and consent”. The commission further stated, “The violations are continuous breaches of the regulation as they are still observed to date.” And stated further in its penalty notice, “It is not a one-off, time-limited infringement.”
For those who read French, a longer version can be read here
Keeping in mind that the largest fine that could be imposed is 4% of Google’s annual global revenue which is $110.8 billion, this fine will certainly not hurt Google’s bottom line but does send a notice that the GDPR is a regulation not to be taken for granted.
And just like your local toll roads, once a government entity gets a taste of new revenue, it never goes away, but instead just increases in numbers and amounts charges and collected! It may be a smarter course of action, if not a lot cheaper, for organizations such as Google to take heed and advantage of leading-edge security solutions such as Spirion’s total protection of data at rest and at use. Not only will it save them money, but it will assure them of rapid and verifiable compliance.
If you are new to GDPR, continue to read below to understand a little bit more and how it affects you.
What is GDPR?
General Data Protection Regulation (GDPR) provides guideline for how personal information is collected and processed within the European Union or the EU. The guidelines went into place in May of 2018 and is critical for businesses and organizations such as financial institutions, banks, finance companies, and insurers. Since these guidelines had not changed since 1995 it was difficult to keep up with technological advances in information storage and processing making things unclear in the instance of a data breach. Prior to the implementation of the GDPR legislation it had been discussed for four years but passed by parliament and took effect in 2016. Even though GDPR brought about many skeptics and criticisms, it was needed in a constantly evolving technical world. It is proven that having a data protection regulation in place that works can be beneficial to everyone involved.
Will My Company be Affected?
If your company or organization had to follow the previous data act, then you will likely need to be GDPR compliant. GDPR covers personal and sensitive data of EU citizens. Personal data is a very broad category as it includes anything that can be used to identify an individual. Personal information can range from an IP address, name, phone number, home address, etc. Sensitive personal data can include someone’s religion, genetic information, political preferences, or their sexual orientation to name a few. GDPR sets a new legal framework for the protection of this information through processing and storage for the data processor or data controller.
As a company required to be compliant, they may need new or updated data protection policies. Having a data protection directive, a data protection officer within the company, a privacy shield, and changing the way data is processed including new ways of processing personal data, is often needed. Having a protection officer may mean hiring additional employees, but that can help protect the rights and freedoms of an EU member. GDPR brings a lot of big changes to the table all with EU citizens and their data in mind. Though as a company owner or supervisor following the new protection laws, GDPR can help avoid data breaches which leads to a loss of trust in the company and financial losses.
If you are a company of more than 250 people you will need to outline the reasonings behind the collection of personal data. You will also need to document how it is collected, how It is being stored, and how long the data is being kept. Some collected data may also need to come with explicit consent depending on the data subject. The consent must be clearly explained and include a positive opt-in. Certain data should also only be able to be accessed by someone with supervisory authority, while general data might be viewed by other company employees.
In a world where public authority matters knowing details about data privacy, processing of personal data, GDPR consent, and all of GDPR rules is crucial in protecting EU data against a potential breach.
Learn more about how Spirion can help you achieve compliance, visit our GDPR Compliance section.