COUNTRY FOCUS: FRANCE
Matt Lock, Director of Sales Engineering
at Varonis
committed to meeting those expectations
and the consent requirements of the GDPR.”
Industry experts have had their say on the
CNIL’s decision to fine Google, with Matt
Lock, Director of Sales Engineering at Varonis,
stating that the news should be ‘hitting
companies like a cold shower’.
“The new fine facing Google will quickly
dispel any lingering doubts that the EU
would go easy on companies found in
violation of the GDPR,” he said.
“It’s not a stretch to say that a proverbial
storm is gathering as privacy groups rally
to their cause and seek to uphold major
global companies as examples of lax privacy
controls. The news should serve as an impetus
to organisations that have yet to prioritise
their GDPR compliance programmes and
hoped to simply fly under the radar – their
luck may be running out soon.”
Fouad Khalil, Vice President of Compliance
at SecurityScorecard, highlighted that it was
‘no surprise’ that the fine had been issued
by the French privacy watchdog. more. Furthermore, point-in-time
compliance does not cut it as continuous
assurance (monitoring and auditing) is a
must to ensure ongoing compliance.
“CNIL is the only regulator that issued
any kind of GDPR compliance guidance
in an effort to shed light on compliance
requirements. Even though Google’s
European headquarters is based in Ireland,
that did not stop GDPR watchdogs from
transitioning the enforcement to France
where it is considered to be more effective,”
he said. “In today’s world, managing privacy has
become the norm as regulators, auditors
and privacy rights groups are keeping
a watchful eye. Slapping Google with
such a large fine is only possible due to
confirmed violations most surely reported
by consumers and privacy rights groups.
I suspect this will be the first of many to
follow in 2019 as GDPR compliance is now
in the enforcement phase.”
“The new year is upon us, as is GDPR
enforcement and fines. Companies that
have sat back and watched the privacy tidal
wave hoping that it will miss them should
reconsider. As with any new regulation, most
companies scramble to comply once they
realise the ramifications are real.
“We are learning that no one is beyond
GDPR reach – Google was fined €50 million
due to people ‘not [being] sufficiently
informed’ about how Google collected data
to personalise advertising.
“The regulator indicated that Google
provided inadequate information to its
consumers as well as having had invalid
consent for personal data use. This confirms
how critical an accurate and up-to-date
personal data inventory is.
“Organisations must ensure all data is
properly identified, classified, processed,
transmitted, consented for use and much
Meanwhile, Alex Hollis, GRC Practice Director
and SureCloud, said the CNIL had certainly
‘lived up to its reputation’ around matters
for data protection in taking action.
52
INTELLIGENTCIO
“Many organisations are still unsure
whether their GDPR compliance strategy
is 100% fit for purpose, but this incident
signals that long gone are the days
where privacy can be relegated to an IT
or compliance effort: the magnitude of
this fine clearly shows this is a business
issue. Compliance professionals now
have a use case to take to the board to
secure any funding and resources they
need to become GDPR compliant if their
organisation isn’t today.”
Paul Farrington, Director of Solutions
Architecture (EMEA) at Veracode, also
commented: “The fine against Google
is an indication of the serious focus
on privacy and security by regulators.
Global enterprises must take steps to
ensure security hygiene and compliance
with standards to reduce their risk and
protect data.”
He said: “Since last May, we have seen the
dip following the initial interest and have
been expecting these legal cases to emerge.
“The scale of the fine for Google is not the 4%
which is allowed under the regulation, which
must go some way to acknowledging the steps
and controls that Google has taken. It should
certainly serve as a caution to those who don’t
have the legal protection that Google has.”
Ryan Kalember, SVP, Cybersecurity
Strategy, Proofpoint, commented: “This
GDPR fine brings to light some vital lessons
for other businesses observing this crisis
from a distance. By becoming the highest
fined company since GDPR came into
force, Google is now the black and white
case study of ‘what could happen’ in the
event of non-compliance. In a privacy-first
world, companies must build a people-
centric compliance strategy, which can
only start by getting visibility into highly
regulated data, the systems that process
that data and identifying who within your
business has access to that data.
Ryan Kalember, SVP, Cybersecurity Strategy
at Proofpoint
Bharat Mistry, Principal Security Strategist
at Trend Micro said: “This just goes to
www.intelligentcio.com