GDPR: nine months in and the first major fine

On 21 January 2019, the French regulator CNIL issued Google a 50 million euro fine for GDPR violations. It is the first major penalty since the regulation came into force in May 2018 - and it is instructive precisely because it is not about a data breach. It is about how consent was obtained.

Nine months have passed since most companies sent their users a "we have updated our privacy policy" email and considered the matter closed. The Google fine makes clear that regulators are looking deeper.

What Google actually did wrong

According to CNIL, the problem was not that Google stored or used data illegally. The problem was the structure of consent:

• information about how data is used was spread across several documents, requiring up to five clicks to reach the substance;
• consent for personalised advertising was pre-ticked by default - which directly contradicts the requirement for "active" consent;
• users could not give separate consent for different processing purposes.

These are technically and legally precise charges. They apply to organisations far beyond Google.

Where most companies actually stand

When I look at how most medium and large companies prepared for GDPR, the picture looks roughly like this:

• privacy policy updated and published;
• cookie banner added;
• data processing register - either a formal document with limited depth, or absent entirely;
• processes for fulfilling subject deletion requests - written down on paper, but never tested;
• data processors (contractors, SaaS vendors) - covered by agreements in the best case maybe half the time.

GDPR compliance is an operational process, not a one-time task. The difference is between "we wrote a policy" and "we know where our personal data sits and who has access to it."

Three questions to start with

To get an honest picture of where things actually stand, I ask three questions:

1. Data register. Can you name right now which systems hold personal data on your customers and employees? Who is responsible for each of those systems?

2. Processor chain. Are you passing data to third parties - analytics, mailing platforms, CRM, cloud services? Do you have a data processing agreement (DPA) in place with each of them?

3. Subject request process. If a customer demands deletion of all their data tomorrow - what exactly happens, who does it, and how many days does it take?

If any one of those questions has no answer, that is a risk worth addressing before the next regulator enquiry.

What to do in the coming weeks

The Google fine is a good reason to run a short internal audit. Not a legal review with consultants, but a practical check: where is the data, who accesses it, how is consent structured.

GDPR is not a threat you can defer. It is the new operational reality for any organisation that handles data about EU residents.