Just last week, Google was fined €50m, or over $57 million by Commission Nationale de l’Informatique et des Libertés (CNIL), the French Data Protection Authority, for violating the General Data Protection Regulation (GDPR). The case makes it apparent that organizations must make GDPR compliancy a priority.
In two separate complaints, pressure groups, None of Your Business (NOYB) and La Quadrature du Net (LQDN), argued that Google was collecting personal data from the users of its services for purposes such as personalized advertising, purportedly “enforcing consent,” given the lack of an alternative, aside from not using the services, and failing to be transparent about the use of personal information.
While this fine may be a minor inconvenience to the tech giant, the case underscores the need for businesses and personnel, particularly chief compliance officers and chief data privacy officers, to become well-versed in GDPR.
The GDPR came into effect on May 25, 2018. The new European data regulation, for which there is no equivalent in the United States, has set a worldwide standard for users’ privacy and data protection. Given that many US-based businesses cater to global consumers, the effect of these laws extends far beyond Europe itself – as we can see from the Google case – and organizations’ employees need to be trained in and understand the regulation. It doesn’t matter where the organization is located or headquartered; any organizations that do business in the European Union or the European Economic Area (EEA) must comply with the GDPR.
The GDPR protects any information that could be used to identify users, including names; photos; email addresses; dates of birth; ethnicities; religions; financial records; medical information; employment history; and much more. More specifically, organizations must:
- Solicit consent from users to collect personal data and give them the opportunity to opt out at any point. (This includes soliciting consent from the parents of minors.)
- Engage in “data protection by design,” demonstrating that they are taking clear and structured measures to protect users’ personal data.
- Report any data breaches to the national regulator within 72 hours.
Organizations that fail to comply with the GDPR could face fines of up to €10 million, or 2% annual global turnover – whichever is higher.
Because organizations must continue to demonstrate their accountability and ensure that their practices are GDPR compliant, your staff must be knowledgeable and well trained in the laws. Furthermore, organizations should implement compliance training solutions, personalized for all employees, not just those directly involved with data security.
At Interactive Services, we recommend providing training essentials and awareness programs for every employee to educate personnel on concepts like data controllers, data processors, and data subject, and additional topics including consent and privacy statements. Advanced role-specific training should be implemented for different areas of specialization and expertise; for example, human resources employees will handle information differently from how marketing and sales personnel do. Employees dealing with data privacy directly, such as your chief data protection officer, specialist lawyer, or senior members of the data privacy team, should become “GDPR champions,” receiving an advanced level of training.
This type of compliance training should occur annually, and you should continually review your policies and ensure that they are up-to-date.
How can you make sure your organization is GDPR compliant? At Interactive Services, we offer personalized training to ensure all of your employees understand the regulation and how it affects their work and specific role within the business. Start a free trial of our GDPR Training today!
Written by Mark Dorosz, Head of Interactive Compliance Training (ICT), Interactive Services.
For more information contact Becky Murphy (firstname.lastname@example.org), Client Engagement Manager, Interactive Services