It was only a matter of time before the consequential General Data Protection Regulation fines commenced. The recent £44m fine for Google’s infraction of the GDPR regulations is a real wake up call, if ever one were needed, that UK organisations need to comply with the recent legislation by respecting individuals Privacy and information rights.
The only residual surprise was that it wasn’t any higher. Under the 2018 regulations organisations can be fined up to 4 % of global turnover for regulatory infringements. This makes the sanction somewhat trifling when you consider that conservative estimates suggest the maximum could have been $3.6 billion.
Google’s wrongdoing, as found by the French privacy regulator, was a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.” In essence, Google simply took control of personal data without clearly explaining what would happen to it. Users were not able to fully understand the extent of the processing operations that were made using their data, in particular the purposes of processing were described in a too generic and vague manner, as were the categories of data processed for these various purposes.
Whilst not every organisation is so reliant on the use of tailored marketing and media engagement as the Google goliath, it is worth noting that the infringements that were exposed deprived the users of some basic guarantees and safeguards regarding processing operations that can reveal important parts of their private life. Subsequently their users were unable to properly control the use of their own data, consequently they were not sufficiently informed to allow them to validate consent or otherwise.
So the new GDPR instalment of privacy regulation is now well under way. If there has been any unofficial ‘honeymoon’ period it’s now at an end. Equally robust sanctions can be expected to follow from the UK Information Commissioners Office for those who substantially fail their data subjects, it seems inevitable they will also impose more significant monetary penalties from hereon. Couple this with the inevitable loss of organisational reputation and it’s a recipe for a PR disaster, especially for public organisations.
Don’t let it happen to you; at the very least develop a culture and business approach that places respect for personal details as a priority. Make sure you commit sufficient resources, staff time, training and financial budget to comply with the necessary legislation. It matters not how large, small or outlying your organisation is, this legislation is European-wide and will remain substantially intact in the UK whatever the Brexit outcome.
There are some excellent well established, experienced, well-informed independent consultants out-there (including ourselves) so you really don’t have to tackle this alone. We are leading experts in data compliance, working in partnership with organisations and companies nationwide, across a range of information governance.
Trust us to help you stay compliant.
For more information on how we can help contact us at: https://www.staycompliant.training/contact-us/
or telephone 01274 562630.