Security Roundup: Google’s GDPR Fine, KnowBe4, Cybint, Digital Training
GDPR went into effect last May and requires companies to get users’ consent before collecting information about them, and they must provide a way for users to delete that data. In addition, it requires any company to turn over data it has collected on an individual.
France’s data protection regulator said it fined Google for failing to fully disclose to users how their personal information is collected and what happens to it. It also claims Google did not properly obtain users’ consent for the purpose of showing them personalized ads.
To find out more about the significance of this, we spoke with Matt Dumiak, CompliancePoint‘s director of privacy services. The company assists firms with privacy regulation compliance.
Channel Futures: Does the Google fine represent a significant milestone for GDPR and data protection?
Matt Dumiak: Absolutely, and there [are] a couple of reasons. It’s the first fine under GDPR and it’s the first real significant fine under GDPR. And I think it got a lot of people’s attention at that point just given how large it was and finally you feel the regulators are starting to get a grip on this regulation and their power under it.
GDPR’s been effective since May, and enforcements and investigations take time, and I didn’t expect that a regulator would have an enforcement at the ready on May 25, but it’s taken a little time for them to receive complaints and do some investigating, so they’re finally coming around.
CF: What this news surprising?
MD: I’d say middle of the road. Google has some of the best privacy attorneys in the world, they’ve commented that they did consumer testing, they think that they’re consent valid under GDPR, so it’s surprising in that regard because Google is prepared and they are a good company. But it’s not surprising because this is exactly the type of organization that these regulations are targeting. They had a lot of consumer data and they make a lot of money on consumer data.
CF: Should this send a message to other businesses?
MD: Yes, I think it does. Everyone at this point is probably going and looking at Google’s consent, and their networking and advertising consent, targeted advertising, and saying is this something we modeled ours after, and if so do we need to think about changing it? Also, now that Google has appealed the fine, we are going to get some great commentary from the regulators as well as Google in regards to … what are they going to find to be clear and conspicuous consent, what’s acceptable and what’s not. That’s under any regulation, but it certainly will be nice under GDPR to actually get some clarification around some of these things. I think the regulators did their best to make it black and white, but frankly sometimes it can be fairly gray.
CF: Is this a call to action for businesses? Last fall, a high percentage of businesses still were struggling with GDPR compliance.
MD: It’s certainly going to get the board’s attention within those organizations and it’s showing that the regulators are now …