The European Union’s General Data Protection Regulation (GDPR) is no longer just another regulatory requirement to worry about in the future—it’s here. A major fine against Google, and other recent GDPR sanctions, confirm the urgency of complying with the law. The law fundamentally changes data privacy rules for all companies that transmit, process or hold EU resident data, regardless of whether they have European operations. Companies must navigate the regulation’s complexity—while also keeping an eye on emerging U.S. data privacy regulations.
GDPR enforcement actions have begun
GDPR enforcement began May 25, 2018, when the first complaints were filed under the law. In the intervening months, the first wave of enforcement actions covered a wide range of violations. The recent 50 million euros penalty imposed by the French data protection authority (CNIL) against Google is the most significant sanction to date, sending a clear signal that regulators are taking GDPR enforcement seriously.
It is notable that the fine was imposed even though no data breach had taken place to expose personal data. The CNIL fined Google for a lack of transparency in data collection and processing, and for invalid consent processes for ad personalization.1
While the Google fine illustrates the heavy fines that can be triggered by noncompliance with the GDPR, smaller fines also illustrate the full breadth of application of the law. For example:
- Austria’s data protection authority fined a retail establishment 4,800 euros because its surveillance camera captured too much of a sidewalk.2
- A hospital in Portugal was fined 400,000 euros for handling patient information inappropriately.3
- A German chat platform was fined 20,000 euros for a breach of user passwords.4
Each of these fines was for different violations, and the amounts vary dramatically. Taken together, however, these GDPR sanctions contain clues as to how enforcement actions will take place going forward. For example, each country’s supervisory authority has significant latitude with both how strictly the law is interpreted and what noncompliance penalties should be.
Perhaps most importantly, these fines demonstrated that companies that cooperated with regulators and showed progress toward compliance were shown leniency with financial penalties. GDPR is an expansive law, and at this early stage of implementation and enforcement, some regulators are clearly looking favorably on companies that can demonstrate a serious GDPR compliance strategy, as the German example shows.
While full compliance is the optimal scenario, serious efforts shown toward adopting the regulation will be taken into consideration. As the Google case shows, however, what a company may consider a serious effort may not be deemed as such by the regulators, especially as in this case, where the nature of the data processing activities the company engages in are deemed especially intrusive.
Up until the Google fine, many companies felt that GDPR enforcement had not yet begun. The examples above, however, show that the GDPR is a major focus for EU regulatory bodies—and is being enforced forcefully.
With potential fines ranging up to the higher of 4 percent of global revenue or 20 million euros, ignoring the GDPR cannot be deemed to be a prudent course of action. Companies still taking a “wait and see” attitude should consider starting a GDPR compliance program, so they can demonstrate, at a minimum, a good-faith effort toward compliance, rather than ignoring it.
The GDPR’s focus on residents, not operations
If your company has European operations, these fines are a reminder of the direct impact that the GDPR can have on your organization. However, even if you don’t have a European presence, data privacy has become a global issue that will affect all companies, requiring a closer look at how personal data is collected and managed.
GDPR rules also apply to United States-based companies that have European customers, since the focus is on the individual’s location not the company’s location. Therefore, additional safeguards and controls are likely necessary to adequately protect EU resident data and adhere to GDPR standards.
Emerging U.S. data privacy legislation
In addition, data privacy regulations have moved beyond foreign countries and citizens, and squarely into the scope of individual U.S. state regulators, with potential federal laws on the horizon. For example, the California Consumer Privacy Act (CCPA) was signed into law in June 2018, creating new requirements for the protection of California residents’ personal information. While the CCPA is not slated to go into effect until mid-2020, some states, including Massachusetts and Texas, already have some level of data privacy protections in place.
With public pressure increasing on how companies collect and manage data, discussions have begun about expanded federal privacy regulations. It is only a matter of time before more extensive U.S. data privacy laws are developed at both the state and federal level, and effective preparation is key to protecting customer data and avoiding potential sanctions.
Taking steps toward compliance
To begin addressing the GDPR, as well as the CCPA and other emerging data security standards, you must understand the regulations and gain an awareness of their specific requirements. That knowledge, combined with a gap assessment, can help you understand where you may have potential exposures and guide your program toward compliance.
Many organizations do not have internal experience with, and exposure to, these new data privacy regulations, and can benefit from a third-party perspective on their progress toward compliance. An advisor that understands the complexities within the regulations, and the expectations of regulators can help you evaluate your controls and gaps, and leverage that information to efficiently develop a thorough data privacy compliance program.
The GDPR requires companies to be able to demonstrate compliance at any time—not only if a breach has occurred. For example, the Dutch regulator recently selected a number of companies at random and asked them to provide evidence of compliance. You must ensure that your processes adhere to regulatory requirements and, at a minimum, start to take action to move toward compliance in order to build a defensible case.
Ultimately, the sooner you address emerging data privacy laws and regulations, the better the case your company can make that it’s taking them seriously, even if it has not completed compliance program implementation.