Posted: January 30, 2019
Clearly US businesses are not immune to privacy regulation in Europe. If there was any doubt, look to Google’s fine yesterday under the GDPR. The largest fine yet to be imposed is being levied against one of the most recognizable technology brands in the world. Make no mistake, European regulators are sending a message to Silicon Valley, fully comply with European privacy regulation or face the ire of regulators.
Fines under the GDPR thus far have been: $5,472 for a security camera filming in a public space, $22,800 for failure to adequately protect user passwords, $456,000 against a hospital for using fake accounts to access patient records and $56.8 million against Google for failure to gain adequate consent and give control to users on how their information is used. All fines, up to this point, have been issued against data controllers, spanning multiple industries and company size.
The landscape for privacy regulations is ever changing in both Europe and here in the US. Less than a year ago, European regulators would not have been able to issue this fine. In addition, California’s Consumer Protection Act (CCPA) will be enforceable in 2020. Even organizations outside of the purview of European regulators must face the fact that privacy regulation is not going away. Companies not addressing issues of consumer privacy and compliance with the GDPR and CCPA are quickly falling behind industry trends and will likely become the focus of enforcement actions.
To comply with GDPR and CCPA, organizations should start by focusing on consumer facing interactions and privacy policies. Make sure data processing disclosures are clear, unambiguous and located in one place. Organizations must ensure that they have a clear legal basis for processing user data and work with legal counsel or privacy professionals to establish and document this. Understanding the detailed data flows and sharing of information with 3rd parties is also of critical importance. Organizations should look to establish a cross functional team/task force to properly address the enterprise wide impact these regulations will have.
Greg is the Vice President & General Manager of CompliancePoint’s Information Security Practice. Greg has over 15 years of experience with Information Security, Cyber Security, and Risk Management. His knowledge spans across multiple industries and entities including healthcare, government, card issuers, banks, ATMs, acquirers, merchants, hardware vendors, encryption technologies, and key management.