GDPR Compliance Myth #7: Huge GDPR fines never really happen

As a year since the introduction of GDPR approaches, VinciWorks revisits our popular GDPR mythbusters series to separate the data protection facts from fiction.

Just six minutes after GDPR came into force on 25 May, 2018, two European advocacy groups, Quadrature du Net and None Of Your Business (NOYB), filed complaints against search giant Google. Similar complaints were also levied against the titans of the internet age: Facebook, WhatsApp and Instagram. These actions were not confined to just one jurisdiction. The white knights of data protection made their mark in the halls of national regulators in Paris, Vienna, Brussels and Berlin.

The complaint? Nothing greater than the default advertising settings that come when signing up for a standard Google account. Users must agree for their personal data to be used in order to show them personalised adverts, and Google requires people to agree to those terms and conditions via pre-ticked boxes in what NYOB calls “forced consent.”

On-demand webinar – GDPR Mythbusters 2019

Big fines in store for those who breach GDPR – not a myth

CNIL – the French data protection regulator, agreed in January 2019 that this breached GDPR, handing Google a record-breaking €50 million fine in what they term “continuous breaches of the Regulation as they are still observed to date. This is not a one-off, time-limited, infringement”. This is evidence this fine is unlikely to be a one-off, time-limited fine.

€50 million might be pocket change for a company with a cavern of treasures as deep as Google’s, but with another three data protection regulators still to make a ruling from this particular complaint, out of a total of 28 GDPR enforcement authorities across the European Union, hundreds of millions of Euros might soon start to add up to real money.

It may come as no surprise Google feels aggrieved by the fine. A spokesperson for the tech giant said: “we’re deeply committed to meeting those expectations and the consent requirements of GDPR.” While Google tries to limit the impact of the ruling to only their French services, it’s unlikely they’ll be able to stem the tide of GDPR judgements that are set to crash over the biggest companies in the world.

Prior to GDPR coming into force, no one knew just how much regulators would be willing to flex their enforcement muscles. The maximum fine available for GDPR breaches is 4% of global turnover, a staggering amount for even trillion-dollar businesses like Google and its subsidiaries. €50 million might pale in comparison with 4% of the infinity money tech companies sit on, but it’s a sea-change from pre-GDPR enforcement like the paltry £500,000 fine Facebook was landed with after the Cambridge Analytica scandal.

The lessons to be drawn from the first major fine of the GDPR era is that while regulators might not yet be ready to exercise the full might of their power, the earth-shattering fines which were promised are not merely legends. However, what should be of far more concern for tech outlaws is that data crusaders have discovered their secret weapon, and it’s called GDPR. This fire-breathing beast flies on the side of the European citizen sick and tired of having their data harvested, abused, and sold for profit. And the beast has been wakened.

So if you think huge fines for GDPR breaches are nothing to be scared of, just wait till the pitchforks and flaming torches come for you.

VinciWorks to release GDPR refresher training

Staff should regularly carry out GDPR training to ensure they are continually able to respect and protect individuals’ personal data. We will soon be releasing new refresher training that will help staff maintain awareness of GDPR requirements year after year. Within the same course, users can take advanced modules related to their role. This training will include topics such as how to be a DPO, GDPR for marketing and HR and responding to subject access requests. You can register for updates on the training here.