January 10, 2023
Meanwhile, the scene-stealer over at Meta brings the opening lines from Rudyard Kipling’s ‘If’ to mind:
“If you can keep your head when all about you
Are losing theirs and blaming it on you…”
Meta has kicked off the year with the news that it’s being fined over $400 million “by top EU regulator for forcing users to accept targeted ads” [CNBC].
Targeted ads are a prime source of revenue for Facebook and Instagram. With no intention of being critical at all, you do have to wonder why and how this happened–with the revenue imperative being something of a driving force over at Meta. It would appear that the companies involved in GDPR violation weren’t as hyper-buttoned-down on GDPR compliance as they are hyper-slick at making money, growing, and generally having a pretty mainstream influence on life in the internet world as we know it.
This event also raises the question that if an organization with the level of astounding resources that Meta has can get it wrong, what hope for the lesser mortals of the world of commerce?
Avoiding GDPR pitfalls: Common GDPR violations
The CNBC report on the Meta scenario states: “GDPR places strict requirements on firms with regard to the processing of people’s information. Firms that run afoul of the rules risk facing penalties as high as 4 percent of global annual revenues.”
As Meta has shown, that percentage can represent a large slug of money. But even for far smaller businesses, while the actual amounts may be less in stature their impact can be equally, if not more, damaging. In 2020, Meta’s annual revenue was $86 billion. In 2021 it was $117.9 billion. It’s not about to come crashing down due to the GDPR hit. Even so, $400+ million ($414 million to be precise) is something of a broadside. Estimates suggest that five to seven percent of the company’s overall advertising revenue is now “at risk” [BusinessInsider.com]. Meanwhile, Meta has stated that it intends to appeal the ruling.
Any company violating GDPR rules is likely to find itself subject to unwelcome news attention. No news is good news. Negative news is bad news. It’s not difficult to understand the steps that need to be taken when it comes to data protection and privacy; how to accentuate the positive by eliminating the negative.
Research from GDPR Local identifies the six most common GDPR violations, in order of occurrence:
- Insufficient legal basis for Data Processing.
- Technical and organizational measures to ensure information security.
- Non-compliance with general data processing principles.
- Insufficient fulfillment of data subjects’ rights.
- Insufficient fulfillment of information obligations.
- Insufficient cooperation with a supervisory authority.
Ensuring that you’re legally watertight, accountable, transparent and that you limit the use of data for its intended purpose are among the fundamental principles of GDPR.
A casual approach will give you problems.
A lack of robust data governance will give you problems.
When your non-compliant practices are discovered, as they will be,
the fines you face may well be among the least of your problems.
See how they run: Customers, supply chain partners, stakeholders, and shareholders
Fines come and go. You pay them, a line is drawn under the event (even though you may now well be a forever flashing light on the regulator’s radar). Other impacts may endure longer; gathering momentum as each associated cause has its effect.
These impacts are not about the amount of money involved in the fine. They are about the erosion of trust; the trust that those your company depends on have traditionally invested in your organization. Customers bought from you because they trusted you or warmed to your ethics or agreed with your values. Now they might rethink all that.
A GDPR violation/fine says very clearly that your organization has unlawfully processed personal data. This makes customers edgy. It can also undermine the pride that your employees had in being part of your success story. Supply chain partners may just as well drop their connection with you as continue it.
After all, association with an organization that has fallen foul of one of the most basic and increasingly important tenets of modern business life–Data Governance–can possibly be replaced with more favorable associations and partnerships. You may also find that you are called upon for tenders less than you used to be.
You may find yourself unaffected by any of this following a GDPR violation. You may be almost out of the woods having paid your fine. But in this world, it only takes one person to incite a crowd. When you least expect it, you may suddenly become a social media star. For all the wrong reasons.
Whether Meta’s appeal against the GDPR violation ruling succeeds or not, the organization will roll on. It’s too big not to. Such resistance may not apply to every organization though. Check your GDPR stance and benchmark your policies and procedures, tech stack and data awareness, and robustness of a compliance culture within your business now. Make sure you really do have a happy new year.