As we predicted last year, the first victim of the GDPR would indeed be a big technology company. It comes as little surprise that France CNIL regulator hit Google with $57 million fine for the GDPR violation. The CNIL said, “Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.” In the bigger picture, this means that companies need to prioritize data management and ramp up efforts in ensuring compliance.
Since its implementation in May 2018, the General Data Protection Regulation (GDPR) has led to widespread confusion for companies, domestic and foreign, dealing in the European market.
Businesses in technology, healthcare, banking, and retail were left speculating on the best approach for collecting personal data, with little help from the GDPR guidelines.
A recent study by the International Association of Privacy Professionals (IAPP) found that “more than 56% of respondents subject to the GDPR said they were far from compliance or would never comply” and “one-fifth said that full compliance may be impossible.” Hoping to mitigate the costs of incorrect or delayed compliance, many firms are implementing a risky “wait-and-see" approach as they struggle to understand the best course of action. Because the GDPR retroactively applies fines for violation, many companies find themselves in a no-win scenario by either potentially wasting resources on incorrect compliance procedures or gathering information and risking hefty financial penalties.
With the recent $57 million fine levied by French regulators against Google, high cost of non-compliance is becoming a reality, even as the time and investment in compliance is becoming increasingly apparent. The IAPP study found that “the average organization spent $3 million on compliance efforts” and estimates that it will spend an “average of seven months to complete the requirements”, with a much longer expected timeline for large companies. With new obligations but little guidance, companies are scrambling to restructure their approach to data collection and maintenance as the threat of fines looms increasingly large.
In an interview with the IAPP, Helen Dixon, the Data Protection Commissioner for Ireland, stated that it's safe to expect more GDPR-related fines in 2019. The pressure to comply, despite a lack of comprehensive guidelines, is compounded by a series of investigations launched across Europe. For example, Facebook was placed under investigation by the Data Protection Commission in Ireland. In the wake of their second major security breach of 2018, during which nearly seven million users’ personal photos were compromised, the company failed to report the incident within 72 hours. Under GDPR law, this is punishable by a fine of up to four percent of “global revenue”, an exact definition of which is only vaguely defined.
As the new year continues, the threat of fines is likely to continue in increasingly chaotic efforts from companies attempting compliance, including extensive data auditing operations. If a firm finds evidence of personal data collection from an EU citizen, it must determine if that data qualifies as overly accessible, needlessly maintained once a service is completed, or requires the individual's consent. With little GDPR direction, many firms remain hesitant to restructure data practices and unsure of what form execution efforts should take.
Perhaps more alarming for multinational businesses and local startups that rely on cross-border data flow is the ensuing domino effect of data protection policies. SMEs and non-technology companies should remain diligent and not step down their efforts to comply with the GDPR.
Many countries are implementing their own standards for data maintenance, often imitating the GDPR. For example, policy proposals Brazil and India are pushing heavy fines for noncompliance and adequacy requirements for cross-border data flows. It’s expected that emerging data policies will threaten trade as more and more countries follow suit. Companies should prepare for new regulation — lacking in both cohesion and clarity — to place additional burdens on their data protection and privacy efforts.