It was announced yesterday that Google has been hit with the largest fine for data protection so far – £44m (€50m) – under the new General Data Protection Regulation (GDPR) by the French data regulator, CNIL.
While Google will almost certainly appeal the record-breaking fine, it could be the first of many large fines according to Matthew Holman, principal and head of data protection at commercial law firm EMW.
“This is just the first of what could be a wave of ‘mega’ fines under GDPR,” he said. “It is a dramatic first step in the new world of GDPR fines.
“It also means that other companies, such as Facebook, British Airways and Marriott, all of whom have suffered large scale security breaches, will be watching with baited breath to see if the UK ICO follows suit.”
The regulator says it judged that individuals were ‘not sufficiently informed’ about how Google collected data to personalised data.
The maximum penalty for a breach of GDPR is €20m (£17.7m) or 4% of a company’s global turnover. Google Ireland had a turnover of €32.2bn in 2018. This means the total fine that Google Ireland could have received would have been €1,288,000,000
“The size of the £44m fine gives an indication of the likely size of fines that could be levied by other European regulators, including the UK’s ICO,” said Holman.
“This fine is about having poorly drafted privacy policies and having opaque processes for collecting personal data.”
Cybersecurity firm Veracode believes this fine is the start of a challenging 2019 for businesses when it comes to compliance. With International Data Protection Day a week away, it should come as timely reminder organisations must get their houses order with data protection and governance.
It says that better data protection can be achieved through four key practices: visibility, security, integrity and recovery. Failure to adequately adhere to GDPR can see organisations being handed financial penalties like Google.
Paul Farrington, director of solutions architecture (EMEA) at Veracode, said: “The fine against Google is an indication of the serious focus on privacy and security by regulators. Global enterprises must take steps to ensure security hygiene and compliance with standards to reduce their risk and protect data.”