Google fined £44m over GDPR breach
8 months since the new GDPR regulations were enforced, Google has been hit with a £44m fine over their breach of the rules. Google are the first tech giant to be fined to such an extent, but this is not surprising when you consider that they are one of the biggest handlers and processors of personal data.
What is GDPR?
After many years in development, GDPR regulations were finally enforced in May 2018 to provide individuals with greater power and control over the distribution and storage of their personal data. Organisations are required to comply with the regulations and if a breach occurs the consequences can be very costly. The regulations state that the maximum fine an organisation can incur is €20m or 4% of their global turnover, whichever is the higher amount. It is thought that Google’s fine of £44m is relatively tame, given their turnover which could result is fines worth billions.
Google were fined £44m for a breach of the EU’s data protection rules by the French data regulator, CNIL. There were several failings made by Google including a lack of transparency, inadequate information and storage and a lack of valid consent regarding ads personalisation. GDPR regulations allow individuals to request access to all of their personal data held by an organisation, and the organisation must provide this information within one month. Organisations must also obtain explicit consent in order to communicate with individuals, and they must be able to retract their consent at any given time. A concise and transparent Privacy Policy outlining how data is processed, stored and maintained is an absolute minimum requirement.
Customer opt- In
It was found that when individuals opened a Google Account, the option to receive ‘personalised ads’ was pre-ticked. This is a breach of GDPR regulations because the individual is not opting in to this service and therefore explicit consent is not being gathered.
Data Access Requests
Research conducted by Talend, a cloud data firm, has found that Google is not alone in relation to their response to people’s data requests.
They found that 74% of UK organisations are failing to address personal data access requests within the required 1-month timeframe. A lack of organisation, structure and preparation with regards to data storage may account for this, alternatively the process in which these requests are managed and delivered could also be to blame.
In the instance of Google, the regulator deemed that their failure to be as a result of essential information being disseminated across several documents, therefore they lacked cohesion and control over such information.
What can we learn from Google’s GDPR breach?
This recent announcement should act as a reminder to all organisation, large and small, of the importance of being compliant. The rules surrounding GDPR are still very much open to interpretation and it remains a hot topic. Google has fallen foul of a breach resulting in a fine and there will be other organisations to follow. As an employer you should use this for a moment of reflection and make sure your organisation remains GDPR compliant now and into the future.
Support with GDPR from Lawson-West Solicitors
If you have concerns relating to your organisation’s compliance with GDPR and would like to seek further guidance, Rebecca Beswick, a member of our Commercial team is available to speak to. Simply call her on 0116 212 1000 or email her directly via rbeswick@lawson-west.co.uk. Last year we hosted a presentation on the subject of GDPR, the presentation can be found here.
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.
View all
