If U.S. businesses believed the broad waters of the Atlantic would save them from the European Union’s new General Data Protection Regulation (GDPR), that illusion was dispelled on Jan. 21. That was the day on which the French privacy regulator Commission Nationale de l’informatique et des Libertés (CNIL) fined Google about €50 million ($57 million) “for lack of transparency, inadequate information, and lack of valid consent regarding the [sic] ads personalization.”
NOYB–European Center for Digital Rights and La Quadrature du Net — two privacy activist groups — brought the case almost as soon as GDPR came into effect on May 25, 2018. They claimed that users could not give specific consent for Google to process private data because its terms and conditions were too ambiguous.
The regulator agreed. In the first big case to be decided under the new regulations, CNIL ruled that Google had breached the requirement for transparency. If customers wanted to find out how their data was used — especially for the business’ geo-tracking service — they would have to click through five or six different pages on the company’s site. Even then, some of that information was “not always clear nor comprehensive.” In addition, CNIL said that because the company used the data for an array of services, Google’s legal basis for processing it for each individual service was too opaque to the customer.
The regulator also found fault with Google’s consent procedures for targeting customers with personalized ads. It complained that users had to go into the “more options” menu to modify how their data would be used — the consent box there was already pre-ticked. More importantly, CNIL noted that in creating an account, the user was effectively agreeing to a range of data processing by the company — involving ads personalization, speech recognition, and more — which were all covered by a single agreement. “GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose,” CNIL concluded.
GDPR Is Just the Start
While Google has appealed the case to France’s top administrative body, the Council of State, CNIL’s train of logic provides an indication of how regulators are interpreting key aspects of GDPR for organizations based anywhere in the world and how they are applying fines. More than that, GDPR is likely to change the way organizations handle private data globally. No wonder internal auditors who felt they had crossed the finish line when GDPR went live are realizing they have just begun the race.
“Many U.S.-based organizations wish that they would have started their GDPR compliance efforts earlier,” says Jan Hertzberg, independent privacy consultant and adjunct professor at DePaul University in Chicago. Last year, many of them focused on updating their privacy policies and notices just before GDPR requirements went into effect. In the year to come, they plan to prioritize enterprisewide, GDPR risk assessments “to identify their greatest risks” and perform GDPR governance audits, he notes.
This new focus on data privacy is timely because GDPR’s underlying philosophy is finding its way into new regulations around the world: Customers have to specifically opt into services, their consent over data processing has to be explicit, they have a right to know what data organizations hold and how they use it, and organizations must have rapid response processes to notify regulators and customers of serious data breaches. In the EU, for instance, the provisions of GDPR will be extended to electronic communications by a new e-Privacy Regulation, which is expected to come into effect later this year. These rules will govern how organizations can send out unsolicited marketing emails and text messages, will enable web users to set their cookie preferences on their browsers, and will stiffen up confidentiality rules for internet businesses.
Further afield, China last year introduced a slew of regulations on cybersecurity, data protection, and cross-border data transfer with distinctive GDPR-type features. And in the U.S., the California Consumer Privacy Act of 2018, which takes effect in 2020, features opt-out clauses, transparency rules, and rights for customers to be forgotten similar to those contained in GDPR.
Internal auditors are working to better understand the regulators’ approach in balancing advice and punishment. And some are busy building networks within and outside of their organizations to help them understand the rules and what they mean to their enterprises. And while increasing their IT competencies is likely to be important, getting to grips with strategic issues is key.
GDPR applies to all businesses that hold the personal data of citizens of the EU, making businesses outside of Europe potentially subject to European rules. In this year’s Google case, CNIL made an important distinction that is likely to carry weight for complaints involving U.S. companies and others based outside of Europe. Despite the fact that Google’s European headquarters are in Dublin, Ireland, CNIL brought the case against the U.S. parent Google LLC. It ruled that because the U.S. office had the final say on how data collected through its Android app was used, the U.S. parent was legally responsible for complying with GDPR. Any fine is calculated, therefore, on the parent company’s turnover. In 2017, Google LLC had turnover of $110 billion, so the company could have been fined $4.4 billion, rather than the $57 million imposed by CNIL.
The U.K. regulator, the Information Commissioner’s Office (ICO), says fines do not represent the biggest threat to organizations from GDPR. It says the idea that there will be massive fines is “myth No. 1” when it comes to understanding how regulators are implementing and interpreting their new powers. “In terms of powers and sanctions, the ICO aims to educate and support organizations in fulfilling their responsibilities in relation to data protection,” says Debora Biasutti, lead communications officer for the ICO. “Issuing fines has always been, and will continue to be, a last resort.”
At the time of publication, the U.K. could potentially leave the EU without a formal set of agreements to govern how data on citizens is used between the two territories. If that happens, the U.K. will be covered by the 2018 Data Protection Act, which enshrines most of the provisions of GDPR into U.K. law.
Early indications are that regulators are working with businesses to help them comply but are prepared to fine them “proportionately” for perceived noncompliance. How regulators are seeking to help organizations can be seen by a series of cases involving much smaller businesses than Google.
In December 2018, for example, CNIL closed a GDPR consent case with a small French ad tech firm called Fidzup. According to the online magazine TechCrunch, Fidzup worked with CNIL to create a longer consent form so that customers could opt into, or out of, every service it offered individually, which echoes CNIL’s approach to Google.
“Now, okay, we have something between the initial asking for the CNIL — which was like a big book — and our consent collection before the warning, which was too short with not the right information,” Fidzup CEO Oliver Magnan-Saurin told TechCrunch. The amended consent form is still a long read, he concedes. The company also had to alter the way its technology worked so that, for example, the app and its geolocation features worked even if the data did not go to advertisers when the user opted out.
It is not clear whether internal auditors have fully grasped the extra-territorial reach of GDPR, according to recent IIA research. The 2019 North American Pulse of Internal Audit found that while 70 percent of chief audit executives (CAEs) surveyed were highly concerned about suffering reputational damage from privacy issues, only 29 percent expressed high concern about compliance with GDPR — although that concern grew to 62 percent among large organizations. “This could reflect some misunderstanding of how and when these new data protection and privacy rules apply,” the report says. The fact that the rules are not based on the location of the organization, but on the location of the customer whose data is being gathered, could have led some CAEs to believe their businesses are not affected, the report suggests.
Hertzberg says organizations’ apparent slowness to respond to GDPR requirements may be attributed in part to a lack of knowledge of GDPR requirements along with lack of clarity as to how to comply. He is somewhat critical of what he sees as the shortage of attention the EU has paid to educating businesses outside Europe. “Since this is so obviously a worldwide phenomenon, European regulators would do well to consider the foreign players more,” he says.
“Lack of awareness of GDPR requirements is a critical issue for organizations’ management, staff, and board,” Hertzberg adds. Internal auditors and compliance professionals often struggle to get those stakeholders to pay attention to what seems to be a European issue. “Now that the newness of GDPR has worn off, there is a concern that these requirements will get even less attention in the future,” he explains.
Hertzberg notes that some internal audit management — for example, CAEs and directors of internal audit — may be reluctant to hire cybersecurity and privacy specialists for their departments. Instead, they have chosen to collaborate with their own general counsels, chief information security officers, and chief privacy officers to help them come to grips with what the regulations mean in practice. They also have enlisted assistance from third-party consultants.
Overall, CAEs have put focus on cybersecurity and privacy awareness so those with operational responsibilities clearly understand that they must “own” the data they collect and use. In doing so, they will better understand the need for and the issues around the retention and protection of personal data. More problematically, he says, businesses have been less clear about which named person is ultimately responsible for the data that the organization owns.
“Compliance requirements, like GDPR, are forcing changes in the way that data is handled in many organizations,” Hertzberg says. “For CAEs, it is not just about data privacy, but data integrity throughout the business. That will mean internal auditors pay more attention than ever to data and become more data-centric in their approach to providing assurance.”
Dominique Vincenti, CAE at Uber and former vice president of internal audit at Seattle-based Nordstrom, says the initial risk for the department store business compared to larger online retailers was thought to be minimal because the proportion of shoppers based in Europe that use its online services is relatively small. “We used the opportunity to energize management around the topic because we felt that if it is not specifically GDPR, it is going to be something else that is GDPR-like,” she says.
Sure enough, a few months after GDPR took effect, California passed its own consumer protection laws. Vincenti says she would not be surprised if similar federal laws were in the pipeline. “California is significant to all U.S. businesses,” she explains. “If you are going to comply with its GDPR-like provisions, you are not just going to adapt your systems to only do so for your customers in California because it would be too difficult to segregate your customers. You just go with the highest common denominator.”
Vincenti says she expects most internal auditors will be ahead of the game when it comes to understanding the significance of such regulations. First, most will understand that the majority of organizations have poor data governance processes in place, so GDPR provides an opportunity to start addressing how businesses manage and govern data effectively. Second, those data governance weaknesses make GDPR a business issue, rather than a technology issue. “Internal audit needs to help the business understand whether it is leveraging and protecting this crucial asset as well as it should,” she says.
Models and Strategy
As GDPR-style regulations become more prevalent, businesses may need to rethink their strategic plans, says James Reinhard, audit director at Simon Property Group in Greenwood, Ind. For example, instead of modeling an online initiative to contain data in a centralized server, a company may need to devise a more disbursed, decentralized model where it retains data in various countries because some of its target jurisdictions may prohibit cross-border data transfers. This, in turn, could affect the cost, reach, and viability of such projects.
“If internal audit has a good seat at the table, it can be a sounding board for both executive management and the audit committee, and it can assess how well the changing environment is being monitored by management,” he says. “If such alignment with management is not there, this is going to be an increasing problem for internal audit.”
Reinhard says CAEs may strengthen their IT competencies to enable them to conduct more sophisticated data privacy reviews, tracking and protecting such data as it flows through increasingly digitalized businesses.
“Internal audit will need to rely on the company’s legal counsel to provide guidance on interpreting what is the use of a specific set of data and the manner in which it must be secured,” Reinhard says. “Naturally, if the company’s legal interpretation is incorrect, then internal audit’s opinion on attesting to compliance could be incorrect, too.” Expanding internal audit’s professional network can enable it to benchmark and find ideas that can be brought back into the organization, he adds.
Regardless of where they are based, many businesses are struggling to understand what GDPR means in practice, says James Castro-Edwards, a partner at the London law firm Wedlake Bell. “We’ve heard of organizations issuing hundreds of pages of information in response to subject access requests when that is not what the law required them to do,” he explains. There is a similar trend in reporting minor data breaches where the affected information is either low risk — people’s names and addresses — or where it has been suitably encrypted and protected.
“Internal auditors are going to have to focus a lot more sharply on data protection compliance,” Castro-Edwards says. That could include providing assurance on the business’ understanding of materiality so that management is not wasting time over-reporting. The ICO has commented on the widespread over-reporting of personal data breaches since GDPR took effect. Many incidents have been reported on a cautionary basis, while the mandatory obligation to maintain a record of incidents — including an explanation of any decisions not to report incidents — may have been overlooked.
Castro-Edwards says regulatory enforcement action will gradually help businesses understand GDPR better. But fresh legal risks are still emerging.
Last year, the U.K. supermarket Morrisons found itself on the end of group litigation — or class action as it is known in the U.S. — brought on behalf of just over 5,500 employees. The plaintiffs were among 100,000 Morrisons workers whose personal details were released on the internet by a disgruntled former employee. In what could be the first of many such cases, a U.K. lawyer brought the action following a relatively recent development in the common law that established the principle that people affected by a personal data breach may be able to claim compensation for pure distress.
“It is early days, but this could become as big a risk for businesses as ICO enforcement activity, because of the number of individuals typically affected by a high-profile data breach,” Castro-Edwards says. “Each affected individual need only claim a small sum for distress for the potential damages to mount up to a significant sum.”
That could mean that a U.S. company holding data relating to U.K. customers could find itself caught up in a class action. “The fact of the matter is that the ICO and other regulators have limited resources,” he says, “but any lawyer with the time and energy could bring this type of claim on behalf of a large number of individuals following a personal data breach.”
Perhaps the key lesson of GDPR for internal auditors is that the new regulations not only changed the rules on data privacy and processing, they changed the game. It is a game where the winners will have good data governance and pay close attention to how the rules are developing globally. Internal auditors who have strong networks across the business and beyond will be able to support the board on how GDPR may impact both operations and strategy. They will, in short, be a key player on the team.