ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Google’s GDPR Fine Reinforces Need for Intentional Data Governance

Google’s GDPR Fine Reinforces Need for Intentional Data Governance

Andrew Neal, C|CISO, CISM, CRISC, CCFP, CIFI, LPI, President, Information Security & Compliance Services, TransPerfect Legal Solutions, and ISACA conference speaker
| Posted at 9:59 AM by ISACA News | Category: Privacy | Permalink | Email this Post | Comments (1)

Andrew NealFor those of us who work in information security, data privacy and governance, we seem to traverse daily from one headline to another. A new corporate victim announces they were breached to the tune of 100 million records. A regulatory body announces a financial and oversight settlement with a company for failure to adequately protect data. On and on we go.

Because of this constant onslaught, nobody was terribly surprised to hear about the €50 million fine leveled against Google by French data privacy regulators for violations of GDPR. We all knew a big enforcement was coming, and that the early, large fines would be against a social media or tech giant.  Check and check. But what does this mean to organizations on a broader scale?

As I draft this post on Data Privacy Day, trying to find the larger meaning in this first-of-many large fines, I am faced with many possibilities. Could the message be about regulatory muscle-flexing, or is it about corporate arrogance and gamesmanship? Is this a legitimate assertion of individual rights against a corporate giant, or is it an attack against a successful tech company and its profit model? In GDPR, are we looking at the shape of tomorrow’s global data environment, or are we seeing a regulatory trend that risks stifling innovation and “free” service delivery? Of course, the answer is all of the above.

The regulatory authorities across the EU who are charged with enforcing GDPR must, at some point, exercise their authority. No regulation can be effective until it is applied, tested and, ultimately, proven or defeated in practice. At the same time, some organizations may look at the details of the regulation and make a risk-based assessment that they have done enough to comply with their interpretation of the regulation, reasoning “We have taken some [less-than-perfect] actions, let’s see what happens.” The rights to one’s personal data are becoming more widely accepted as a given, but many consumers still are willing to casually or selectively trade some of those rights for convenience or services. With data privacy and security laws and regulators proliferating and evolving, data-centric business activities and profit models must be more carefully engineered and scrutinized. All of the above.

This recent and highly publicized enforcement activity is likely to spur additional compliance efforts from many organizations. Few can absorb a fine with that many zeros in it. On a strategic level, however, it may well contribute to the gradual paradigm shift away from the whack-a-mole approach to security and privacy regulations, and toward a philosophy of intentional data governance and strategy.

There are many financial and organizational benefits to proper data governance, including lower infrastructure costs, better litigation readiness, smaller cyberattack footprint, and better visibility for regulatory compliance. But sometimes it takes a negative result occurring to somebody else to make us ask the right questions and do the right things. Time will tell if a hefty fine is enough to move the behavioral needle for Google, or for the rest of us.

Editor’s note: For more on this topic, read “Maintaining Data Protection and Privacy Beyond GDPR Implementation.”

Comments

Are we on right track?

I personally support Google in the sense that the contributions that Google are bringing in the area of AI, Google needs massive datasets to earn accuracy. Now if people have to give consent to their location every time through google maps then the sufferer will be the person himself/herself as he/she will be taking shortest route based on Google maps AI decision. Now the governing bodies need to educate themselves and understand what sort of information and what extent at which context should follow GDPR and what's the consequences. Otherwise pressurizing the tech giants like Google, Microsoft, Facebook etc. we will be ruining our future.
Rafat at 2/5/2019 11:23 PM
You must be logged in and a member to post a comment to this blog.
Email