Why Google's record fine after GDPR violation is both a warning and an opportunity for companies
At the end of January 2019, France’s data protectors showed that the stringent sanctions for data protection violations are not just on paper, when they imposed the largest fine in history of European data protection: 50 million Euros. About six months after the European General Data Protection Regulation (GDPR) came into force, the French data protection authority Commission Nationale de l'Informatique et des Libertés (CNIL) held Google, one of the large data companies, accountable for persistent violations of the new regulation.
So far, breaches of data protection regulations have remained largely without consequences, at least financially – after all, until last year, most fines amounted to petty cash – but the GDPR has now fundamentally changed this. The penalty framework, which specifies fines of up to EUR 20 million or even 4 percent of a company’s worldwide annual turnover, has not only significantly increased, the authorities are also willing to make full use of these stipulations, as the case in France has shown. The reasons given by the data protectors for their decision are particularly noteworthy, as the record fine was not imposed due to a data theft scandal, but rather due to constant violations of the regulation by Google. In essence, the CNIL criticises the lack of transparency and considers the way in which Google provides information on the use of the data collected to be inadequate.
But Google is not the only company that’s very creative in obtaining users’ consent to certain things – Facebook also has trouble with the German Federal Cartel Office precisely because of its opaque and criticised data collection practice. The big data tech companies are cleverly trying to meet the strict data protection requirements of the authorities, often with only superficial changes to their products, and continue to stage their data protection settings so skillfully – referring, for example, to a better user experience for everyone – that users tick the box without knowing exactly what they have agreed to.
GDPR fine against Google should serve as wake-up call for companies
However, the actions of the European data protectors as well as the Cartel Office, which also refers to the GDPR when justifying its decision, show that the new law is by no means just a toothless paper tiger. No company stands above the law. The regulatory authorities are aware of their possibilities and use them accordingly – regardless of whether the companies are large, well-known corporations or private SMEs. Fines do not take into account whether the infringements are committed deliberately, with the aim of continuing to collect as much data as possible – see Google and Facebook – or whether data breakdowns and data losses occur due to incorrect processes, faulty configurations, or human error. In addition to data protection, information security also plays a decisive role in complying with the GDPR. However, as the results of the Breach Level Index 2018 show, there is still a lot of catching up to do. In the first half of 2018, there were a total of 945 infringements, with 4.5 billion compromised data records worldwide. Compared to the corresponding period in 2017, this represents an increase of 133 percent in the number of lost, stolen, or compromised data records. It is also shocking that only one percent of the lost, stolen, or compromised data had been protected by encryption.
Companies continue to have difficulty implementing the GDPR
Although the issues surrounding data protection have become increasingly important, the methods used are, unfortunately, still inadequate. In simple terms, when it comes to data protection, companies don’t even do the basics: encryption, key management, and access control. Why not? In an attempt to answer this question, one quickly encounters a divergence between two eternal “rivals”: software development and IT operations. While digitalization is pushing software development to bring new IT applications – especially innovative, customized services – to market in ever shorter development cycles, and to provide more releases and higher quality software thanks to agile DevOps principles, IT operations are expected to simultaneously implement data protection requirements in hybrid, very heterogeneous environments – securely, yet with as little effort as possible. High-speed IT has become the basis for competitiveness in the modern market. But the short development times and fast releases put IT security under pressure. As a result, there is a a danger of non-compliance with GDPR requirements, and thus the risk of fines.
Innovative services for Identity & Access Management ensure GDPR-compliant processes and enable agile development patterns
Service Layers, a subsidiary of iC Consult, the leading vendor-independent system integrator in the field of Identity and Access Management (IAM), now offers a customizable IAM platform. This lets companies meet the high requirements of complete IAM. It also enables agile development patterns and extremely short development cycles, thanks to the use of microservices and containers. The IAM service uses products from market-leading vendors such as ForgeRock and Ping Identity and employs cutting-edge IT architecture and organization. From adapting the IAM software, to integration, to continuous operation – in public or private clouds or in hybrid infrastructures – the offering covers the entire process, thus making it possible for companies to meet the complex requirements of the GDPR in a resource-saving manner. In addition, compliance with the guidelines also helps foster a trusting relationship with customers, partners, and employees – data protection acts as a seal of quality.