GDPR fines were inevitable. Despite years of lead-up and months of warning before the legislation took effect last May, many companies simply weren’t prepared for EU privacy expectations’ complex (and evolving) nature.
Now search giant Google is in the compliance law’s crosshairs: As noted by Bloomberg, Google has been assessed a $57 million fine because it “fails to adequately explain how it collects data to offer personalized advertising.” For some experts, the fine is a warning of things to come—companies must improve their data handling or face the consequences. For others, the penalties are a step too far with a purpose too vague.
The hard truth? No matter where opinions fall, GDPR fines are now out in full force —and your application could be next.
It’s no surprise that a large enterprise like Google is making headlines for its substantial fine—nor is it surprising that data regulators are looking hard at the massive search company and its cadre of marketing, sales, and advertising tools. According to France’s data regulator, Google’s personalized advertising consent form contains “extensively disseminated” information and consent boxes that are “pre-ticked,” potentially causing users to overlook their contents. Under GDPR, this creates user consent that is overly generalized and ambiguous.
Google isn’t the only large tech company under scrutiny: As noted by Silicon Republic, Facebook is being investigated by Ireland’s Data Protection Commission for a bug that permitted hundreds of apps to access user photos without permission.
Meanwhile, according to IAPP, smaller fines have also been handed out to organizations for illegal video surveillance activities, illicit access to patient information, and the data breach of a German social media company. These fines were smaller—ranging from $5,000 to $800,000—but made it clear that GDPR has both bark and bite.
Despite the high fines leveraged against Google, they’re not the pinnacle of GDPR penalties: Companies could lose up to 4 percent of their annual turnover or €20 million, whichever is greater. Techopedia noted this has spurred an uptick in hacker extortion techniques: Malicious actors compromise a network and threaten to publicize the data breach unless their demands are met. Along with hefty payments, companies risk getting duped—hackers could take the money and still release stolen data to prompt GDPR fines.
In the United States, companies should expect discussion about GDPR-type legislation over the next year as legislators look to emulate—or push back against—Europe’s data regulation. According to ValueWalk, this potential privacy law would likely be “a counterweight model to the GDPR” but would also focus on the protection of cross-border data and world engagement with American enterprises.
What does this mean for organizations looking to safeguard their data? GDPR is just the beginning—from the uptick in malicious actors to stateside legislation, data privacy is now paramount.
Data breaches don’t happen in a vacuum. Information is typically stored in databases and created, accessed, and changed through software applications. Software applications ‘ vulnerabilities or poor security implementations can be exploited to obtain sensitive data. The result is a kind of unintentional oversight: The apps created by development and DevOps teams are often overlooked as potential infosec issues. However, now, data processors have regulatory and statutory obligations, and with GDPR, protecting applications has become more important.
Let’s use Facebook again as an example: Recent research found that 61 percent of tested Android apps shared data with the social platform as soon as users opened the application—without their consent and regardless of whether they had a Facebook account.
Is there some culpability for Facebook here? Absolutely. However, by adding Facebook-connected code into their apps, developers and DevOps teams may be putting their organizations in harm’s way. Simply put? If your application is identified as the source of a privacy breach, your company pays the fine — even if data is routed to social giants like Facebook.
The same rule applies to maliciously modified apps. If GDPR and other compliance regulators find that your organization didn’t exercise “due diligence” in reporting potential breaches, responding to alerts and log reports, detecting unauthorized access, and preventing initial compromise, the results could be costly.
How can DevOps teams protect their apps and avoid GDPR fines? As Tech Beacon notes, start with encryption, use HTTPS for improved security, ensure apps always inform users about data collection policies and ensure applications collect the bare minimum of data required.
Then, tackle the source of data breach issues by deploying runtime application self-protection (RASP) tools capable of detecting unauthorized or unexpected app use, terminating app sessions, or notifying IT admins. Next, leverage application shielding solutions that prevent attackers from debugging app functions and employ obfuscation techniques to frustrate hackers attempting to steal your source code.
GDPR legislation makes it clear: Companies must be prepared to handle “state-of-the-art” hacking techniques and reliably secure user data with protection by design to avoid stinging penalties. Your best bet? Secure data where it lives works, and moves—protect your apps to prevent GDPR penalties.