Google's recent unsuccessful attempt to appeal a GDPR fine is an important turning point in the war against non-compliance. If Google isn't exempt, no one is.

In short, Google lost its appeal against last year’s ruling by French data authority CNIL, which saw the tech giant penalized €50 million for not complying with GDPR privacy legislation.

In January last year, Google was accused of using a vague and unclear process for gathering data and failing to sufficiently inform its users of how their information would be used. The CNIL sanctions also stated that the search giant did not have a legal reason for processing personal data for advertising purposes. Google appealed against the decision on the grounds of jurisdiction.

Google isn’t the first large corporation to be penalized for not complying with the GDPR. One of the biggest GDPR infringement fines to date was handed to British Airways for the hefty sum of £183.39 million after the airline suffered a major data breach in September 2018.

The maximum GDPR fine that can be charged is 4% of a company’s global turnover. The British Airways fine represented just 1.5% of the company's turnover.

Compliance, it seems, can no longer go ignored.

What about the US?

The GDPR extends to all businesses that offer goods and services to European residents and collect personal data in the process. In some cases, organizations operating outside of the EU still need to comply. For example, if your business collects personal data from customers currently residing in the EU, then you need to comply with the provisions of the GDPR.

US lawmakers take data privacy violations just as seriously as those in the EU. The California Consumer Privacy Act (CCPA) came into effect this year and aims to impose its own regulations on the collection and use of customer data.

According to Techcrunch, CCPA fines amount to $7,500 per intentional violation, $2,500 for unintentional violations, and $750 per affected user in civil damages. If your company suffers a data breach affecting 500 000 customers, the penalties could be catastrophic.

Other privacy legislation US businesses need to be aware of include:

- HIPAA: relating to patient health information

- PCI Level 1: relating to payment platforms

- FERPA: also known as the Family Educational Rights and Privacy Act

- GLBA: relating to the financial sector

What you can do

The first step to successful regulatory compliance is to conduct data and security audits to determine what data you have in your permission and how it’s being protected. A data discovery tool can help you locate and identify sensitive data in your business databases. 

If you need to retain or share customer data for any research or testing purposes, then data masking is preferable over encryption. Data masking masks or de-identifies sensitive information such as first and last names, email addresses, phone numbers, and social security numbers, to protect the data from misuse and unauthorized access. 

Both data masking and data discovery tools meet the minimum requirements of the GDPR, HIPAA, GLBA, PIPEDA, and FERPA, among others. 

The most important step you can take, however, is to be transparent with your customers about how you’re using their data.

Safeguard your data effectively with Hush-Hush Sensitive Data Discovery Tool and Masking Components. Request a demo today.