Last month, Google was fined 50 million Euros for their failure to comply with GDPR, which may come as no surprise given their reputation and the sheer volume of EU citizens’ data they process. More surprising in my opinion, is that the fine for the search giant doesn’t seem proportionate to the 17 million pound fine issued to AggregateIQ – the near-20-person Canadian business associated with the Cambridge Analytica scandal. In this post, I’ll explain the reported reasons for these two very different situations, generalize the implications to other small to medium-sized enterprises, and describe exactly how our virtual CISO service can help your business without requiring it to purchase anything else.
With the principles of GDPR in mind, specifically transparency and purpose limitation, the reasons issued by the French authority CNIL (remember, any EU country can handle GDPR complaints) are well-founded. How is it that Google could’ve allowed this oversight? It seems like a matter of interpretation as to how easy “easily accessible” means… the first reason as stated by CNIL is:
“the information provided by GOOGLE is not easily accessible for users…The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.”
The second reason has to do with how Google collects consent for the retention of this data, and it’s a two-parter:
“consent is not validly obtained for two reasons. First, the restricted committee observes that the users’ consent is not sufficiently informed... Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.”
An interesting point to note is that unlike the vast majority of other compliance frameworks, this issue could not have been solved by Google buying a particular piece of hardware or software; the change required was changing the language and organization of their agreement.
What about AIQ? They were the first GDPR fine, which stemmed from the Cambridge Analytica scandal that another tech giant (facebook) dealt with last year. The reasons for AIQs fine, as detailed by the ICO, were multiple as well: Lawfulness, fairness, and transparency; purpose limitation; data minimization… in other words, AIQ’s processing of the data on behalf of campaign groups may be unlawful, their purpose for processing this data was either poorly communicated or changed, and they may have used the data for more than that original purpose.
The similarity is that these reasons also don’t require anything to be purchased to resolve them. Yet the actions these companies took (or, didn’t take) are completely different, and whether they’re proportionate is up for debate; AIQ is vehemently protesting their fine and appealing the decision of the ICO (the UK’s governing body on GDPR issues). For context, an article in V3 covers what AIQ said and how they are addressing it:
"AggregateIQ has never managed, nor did we ever have access to, any Facebook data or database allegedly obtained improperly by Cambridge Analytica."
AIQ also claimed that the ICO’s enforcement notice is inconsistent with previous positions the enforcer had taken, breaching the company’s right to a fair hearing. AIQ said the watchdog failed to provide adequate reasons for the enforcement order – for example, by failing to provide it with documents the ICO had received from third parties which the watchdog relied on to issue its order.
Don’t think that it takes an association with a scandal-racked organization for your business to be non-compliant - Google is not the only organization to ever have pre-ticked an opt-in box, and AIQ isn’t the first to have used data for something other than its original purpose when collected. Concerns like these are present for most organizations – so, does that mean your small to medium-sized enterprise is at risk of being labeled non-compliant and fined? Demonstrated effort doesn’t seem to be enough - the body that investigated and fined Google acknowledges the efforts that Google made attempting to comply and says that despite those efforts they have infringed upon the rights of EU citizens:
"Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations."
How can you know whether you are compliant? How can you tell if the measures you have taken to become compliant are sufficient in the eyes of the various governing bodies (aka, one in each EU country)? There’s a lot of information circulating on the internet about GDPR compliance, which can make online research difficult, and potentially unreliable. When in doubt, ask an informed expert – but whom?!
At ActZero, we have a team of qualified, experienced, CISOs who know the ins and outs of many compliance frameworks, including GDPR (and, NIST, PCI, SAMA, to name a few). Don’t think of this as “just” consultative advice – clients of ours who subscribe to the vCISO program can have policies written for them, templates created to be able to easily demonstrate how they comply, and have intensive audits prepared for. This is all under consideration of the specific needs of your business in mind, and particular requirements of your geography, vertical, or those of your customers.
Ultimately, our vCISOs have helped clients conduct a full ‘GDPR migration.’ Not an ‘assessment’ to tell you where you are and leave you to determine the solutions yourself; a partner that works with you to go from zero to hero, without buying anything else, or hiring anybody else. To find out more, check out our post on our vCISO program, or contact us to ask how we can help your business achieve GDPR compliance and protect your organization from cybersecurity threats at the same time.
Related Content: Check out our other Regulatory Compliance posts!