What Google’s GDPR Fine Means for SMEs

Last month, Google was fined 50 million Euros for their failure to comply with GDPR, which may come as no surprise given their reputation and the sheer volume of EU citizens’ data they process. More surprising in my opinion, is that the fine for the search giant doesn’t seem proportionate to the 17 million pound fine issued to AggregateIQ – the near-20-person Canadian business associated with the Cambridge Analytica scandal. In this post, I’ll explain the reported reasons for these two very different situations, generalize the implications to other small to medium-sized enterprises, and describe exactly how our virtual CISO service can help your business without requiring it to purchase anything else.

With the principles of GDPR in mind, specifically transparency and purpose limitation, the reasons issued by the French authority CNIL (remember, any EU country can handle GDPR complaints) are well-founded. How is it that Google could’ve allowed this oversight? It seems like a matter of interpretation as to how easy “easily accessible” means… the first reason as stated by CNIL is:

Sponsorships Available

“the information provided by GOOGLE is not easily accessible for users…The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.”

The second reason has to do with how Google collects consent for the retention of this data, and it’s a two-parter:

“consent is not validly obtained for two reasons. First, the restricted committee observes that the users’ consent is not sufficiently informed… Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.”

An interesting point to note is that unlike the vast majority of other compliance frameworks, this issue could not have been solved by Google buying a particular piece of hardware or software; the change required was changing the language and organization of (Read more...)