The Cost of Noncompliance: User Consent Is a Very Expensive Issue

"Hey Google, what’s the cost of noncompliance?” Failing to comply can cost you $56.8 million—the dollar figure Google owes for breaking the EU’s General Data Protection Regulation (GDPR). While this multi-million dollar mistake delivers a hit to the tech giant’s reputation and checkbook, it has far-reaching implications for any organization with an online presence.

Google’s largest-so-far GDPR fine was based on severe infringements against the essential framework of the regulation: Google failed to provide a transparent, accessible way for users to consent to its data policies. To give consent—and opt out of previously opted-into advertising personalization—users had to navigate Google’s platform and complete several steps. Users were also unaware that by opting into one service (YouTube or Google Maps) they were opting into Google’s entire service suite.

For more articles like this, check out the Cyber Security Sourcebook here.

The issue and fine are so inflated because Google’s economic model is based partly on its data-driven advertising personalization and the revenue those ads create. Yet, the nearly $60-million fine still represents less than half of the profits Google earns from user data each year.

GDPR Beyond Borders

Google probably won’t be the only enterprise humbled by a hefty bill from the EU. Every enterprise that touches the data of EU citizens is required to comply with GDPR—that’s 52% of U.S. companies and 500 of the world’s largest corporations. If the purpose of Google’s fine was to send a message to other corporations collecting mass amounts of user data, the message rang loud and clear.

Severe noncompliance penalties and a growing number of consumer watchdog groups necessitate a major change in how enterprises (inside and outside the EU) protect and manage user data. Consent forms can no longer be cleverly hidden on websites and every data use case must be clearly highlighted to users, requiring clear consent before personal data is collected.

Once the use of data is explicitly spelled out, only a small segment of consumers will be willing to volunteer their personal data to the corporation. This could result in a shortage of data for targeted ads, leading to decreased effectiveness and inflated prices. If enterprises wish to continue tailoring their marketing initiatives to the user, then they need a platform that inspires users to trust them with their personal information.

Remaining Compliant With a Modern CMS

To stay compliant and keep users confident, enterprises need a reliable content management system (CMS). A modern CMS takes the guesswork out of GDPR compliance and assures users that they are in control of their data—even after they consent to its collection.

  • Managing Consent—A CMS ensures that users have a clear path to either give or withhold consent, including website cookies. This happens during the form-building process with a set of privacy-aware templates used to collect personal data and obtain consent. In this way, consent is obtained directly on the form where the user is already filling out information. When the user submits the form they receive a double-opt confirmation in email. This makes sure that consent is genuine.
  • Storing Personal Data—Enterprises are only allowed to capture personal user information if the data is stored and cataloged according to the GDPR standards. The CMS should assess the data against GDPR rules and store it accordingly. Data storage rules extend to mobile apps, requiring data encryptions that protect the data no matter where it is accessed. Users also have the right to be forgotten. The CMS should provide a way for users to delete their data from storage with a request form followed by a confirmation email.
  • Accessing Personal Data—A large part of the GDPR involves user access to data. If users request their data, organizations must present the data in a timely manner. A CMS with viewable and accessible data repositories keep enterprises compliant. The CMS can export a file of all the personal data collected, from a user. This file includes the data collected, the reasons why it was collected, and a list of any third parties with which the data may have been shared.

For organizations around the world, GDPR has changed the nature of personal data collection. Across industries, enterprises are updating their CMSs to keep pace with strict regulations. By streamlining the way in which user data is obtained, stored, and accessed, leading enterprises can be sure they are compliant and avoid learning the lesson that Google did.

For more articles like this, check out the Cyber Security Sourcebook here.