The GDPR deadline is far behind us now, and its impact is starting to be felt. Many companies met their obligations, but those who didn’t may want to step up their efforts. Anyone who doubted the EU was serious about data privacy needs to think again following the recent €50m fine levied against Google.
GDPR is the General Data Protection Regulation that went into effect in May 2018. GDPR gives EU residents numerous rights related to the protection of their personal data. These include:
- the right for their data to be used only for purposes the user agreed to
- the right to request their data to be deleted
- the right to review their data and request corrections to errors
In addition, entities that collect data may store it only as long as needed for the agreed-to usage and must report any breaches to the appropriate authorities within 72 hours.
Complaints about GDPR violations began immediately after the regulation became effective, with an activist organization complaining about violations by major companies including Facebook and Instagram.
The biggest fine to date is the recent fine the French regulators imposed on Google. The regulator found that Google forced people to consent without understanding what they were agreeing to. Google’s process sprawled across numerous screens and required clicking additional links to view the full details. The regulator also found that the information presented was vague and incomplete. They also objected to Google requiring users to agree to “Terms of Service” rather than agreeing to individual items.
Google is the most well known GDPR offender and it received the biggest fine, but there have been other significant penalties as well. A Portuguese hospital was fined €400,000 because access to patient data was not properly controlled. And a German social media platform was fined €20,000 when it was discovered that passwords were being stored as plaintext.
It’s important to recognize that GDPR does not only apply to structured data stored in databases. A business in Austria was fined €4,800 because its CCTV cameras captured images from public space.
Take Steps to Comply With GDPR
Most businesses can’t afford a substantial GDPR non-compliance fine. Not only are the financial costs significant, the damage to customer trust and your company’s reputation can have long-lasting consequences as well. There are good tools for GDPR compliance that can help you identify the data you collect that falls under that regulation and help you find user’s records to comply with the requirement to allow individuals to review their data.
If you need more help implementing the tools, processes, and controls GDPR requires, contact dcVAST. Our GDPR Readiness or Information Governance assessments will help you understand how much work you need to do to comply with GDPR and other new data privacy laws.