Compliance is a topic that’s been inching up the boardroom agenda for several years now. More than ever, organisations need to demonstrate that they are properly governed and that they meet regulatory compliance requirements, at a local, national and international level, and also those set by different authorities in various industries.
This has never been truer than it is in 2019. With more compliance requirements than ever, organisations have been hit with some of the biggest fines and penalties that the business world has ever seen. Only recently we saw the biggest German GDPR fine to date when the Commissioner for Data Protection and Freedom of Information (Berliner BeauftragtefürDatenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5m fine on a German real estate firm.
This continues a theme that was almost ever-present throughout 2019 – rising GDPR fines that were enforced with increasing regularity by the national Data Protection Authorities (DPA) across the EU. This willingness to issue eye-watering fines to organisations that were non-compliant with GDPR was a feature of the 2019 compliance landscape, but what else was prominent in 2019?
2019 – the year of GDPR enforcement
The year started with a major GDPR infringement. In January, the French Data Protection Authority (CNIL) issued the first French GDPR penalty, when it fined Google a record €50m for failing to provide its users with transparent and understandable information on its data use policies.
This was a major shock for two reasons. Even though the EU had always been clear about the severity of its fines – up to €20m, or up to 4% of the annual worldwide turnover of the organization – €50m was a significant penalty. Secondly, to hit one of the world’s largest companies and holders of consumer data, the DPAs showed that they were ready and willing to enforce GDPR, not merely pay lip service.
This set the tone for the year, with the summer seeing two further massive fines for non-compliance, for British Airways (£183m) and Marriot Hotels (£99m). It wasn’t just the biggest firms either. Throughout the year there were many smaller fines, for organisations such as a Polish football association, a Belgian retailer and a Hungarian bank.
2019 rounds off with that €14.5m fine for German property firm, Deutsche Wohnen. The key takeaway here is that organisations of all sizes and in all sectors are not safe from DPAs willing to enforce GDPR. Data protection is of vital importance and must be protected accordingly, with a focus from senior management and the right GRC tools for the compliance team.
Getting ready for the California Consumer Privacy Act
It’s not just in Europe and the EU that organisations need to be more aware of data privacy regulation. In the US, the California Consumer Privacy Act will come into force on 1 January 2020 and is already regarded as one of the most sweeping pieces of legislation to ever hit the US. Any organisation doing business with Californian consumers must document and disclose all personal data on customers or face financial penalties for every person on their system.
The state of California has almost 40 million inhabitants, and the new legislation seeks to protect the data relating to all of them. Also known as ‘AB 375’, it gives much more power to consumers concerning their personal data and is far stronger than any previous state legislation. With many of the world’s major tech firms (and holders of consumer data) such as Google and Facebook headquartered in California, it is expected to be hugely impactful and for other states to gradually follow suit over the next few years.
Organisations that comply with GDPR will meet many of the requirements of the California Data Privacy Protection Act, but for those that don’t, it will be a major upheaval. It’s a piece of legislation that has been much discussed during 2019 and the key takeaway is that data protection is now an on-going commitment. There isn’t an end to requirements, and firms must adopt the right GRC software to help them manage the requirements effectively and to ensure complete compliance.
Managing compliance in 2020 and beyond
As countries all over the world bring their data privacy laws more into line with the modern world, like the EU and California, so the requirements for organisations to ensure compliance will grow. Beyond data privacy, there are also the many different industry compliance requirements to consider too, whether it’s MiFID II in the Financial Services sector or something else entirely, so the compliance requirements in modern business are many and complex.
That makes it all the more important to head into 2020 with the right GRC tools to manage compliance properly. Oxial launched its sGRC solution this year, an innovative GRC software that greatly outperforms traditional GRC tools and provides any organisation with the reassurance that they will achieve compliance with all legislation and one which covers a range of different terminologies.
If that sounds of interest to you, please get in touch with one of our compliance experts here.