The EU GDPR regulations are now in full effect. Organizations are frantically working to ensure their internal communications meet GDPR requirements to avoid being shut…
In May of 2018, the General Data Protection Regulation (GDPR) went into effect. The GDPR unifies the rules for processing personal data by private and public companies. The regulation aims to ensure the protection of personal data within the European Union.
Since then, the EU has been able to impose fines on companies that do not comply with the regulation, at either 4% of their annual proceeds or up to 20 million Euros (that’s over 22 million US dollars). Also, further sanctions can be imposed. This not only affects companies within the EU, it also affects every country that provides services to the EU market.
For example, if you operate a US-based hotel, then the way that you collect, store, and use personal data for guests from the EU must comply with GDPR regulations. The hotel must also provide clear language about what it will be doing with personal data like email address, and follow very strict rules surrounding how they store and subsequently use this personal data.
So what happens if a company does not comply with the requirements of the GDPR or even just unknowingly violates the law?
The national supervisory authorities are required by the GDPR to impose certain warnings or fines on data protection offenses. Any person who believes that the processing of their personal data lawfully has the right to lodge a complaint with the Data Protection Authority.
The Internet giant Google was recently hit with the biggest GDPR fine that’s been issued to date. The French Data Protection Authority has imposed a staggering fine of 50 million euros.
The complaint itself was submitted by two independent civil rights organizations: the French organization "La Quadrature du Net" (LQND) and the Austrian NGO "None of your Business" (nyob), founded by Max Schrems.
The motion against Google revolves around how the company failed to provide adequate information to its users about its data consent policies, and didn’t give them enough control over how their personal data was being used. Essentially, under the GDPR regulations, companies must obtain “genuine consent” from their users before collecting their personal information. This means that in order to be compliant, users have to specifically opt-in to the process.
Since the fine was only imposed at the end of January, the full impact of this case is not yet clear. So far, Google has only indicated that the company will decide what to do after a detailed examination of the case. As of April 2019, Google has not yet rectified the problem.
While Google’s whopping 50 million Euro fine is by far the steepest penalty that’s been handed down, the search engine giant may not be alone. Several other major US tech companies are currently under investigation by GDPR enforcement agencies.
In October 2018, the Irish Supervisory Authority launched an investigation into Facebook for potential data breaches. Not long after, the Irish Data Protection Commission began investigating Twitter for possible compliance violations.
Finally, in February of 2019, Amazon, Apple, Google (again, this time in France), Netflix, and Spotify have all been accused of violating GDPR regulations and are currently under investigation. In fact, privacy groups in Europe claim that most large streaming companies did not fully comply with the GDPR.
Whether caused by a cyber attack, software errors, hardware failure or human error, companies are obliged under the GDPR to report any violation of the protection of personal data to a data protection supervisory authority.
Theoretically, that sounds plausible, but what does this process actually look like? In general, Article 33 of the GDPR stipulates that notification of a breach of personal data protection by the responsible person must be made to the competent supervisory authority immediately, and if possible within 72 hours of becoming known. In the event of a delay in the obligation to register, a justification for the delay must be provided. The message must contain the following information:
It is also important that under Article 33 (5) of the GDPR there is a duty of documentation, therefore, the person responsible must ensure that all factors that led to the GDPR are clearly presented and documented. It may be a good idea to have a crisis communication plan in place in the event of a GDPR violation. The better your company is prepared for a possible GDPR infringement, the better your chances are of getting hit with only a small fine or even "just" a warning.
A GDPR violation can happen to any company. In order to minimize the risk of a breach and the associated consequences, it makes sense to take preventive measures. In addition to a sound crisis communication strategy, it makes sense to appoint a data protection officer (in some cases, this is mandatory). To ensure data security in all areas of your business, and actively counteract a GDPR infringement, you should check all applications and software products used by your company to make sure they all comply with GDPR regulations.