As data privacy watchers have no doubt noticed, Google has managed to find itself in front of the largest GDPR fine to date, courtesy French privacy watchdog CNIL. In full, the fine amounts to 50 million Euros. The basis of the penalty is twofold, first for lack of transparency in how personal data is used by Google, second for not having a legal basis (“consent”) to process user data for personalized ads. CNIL went so far as to say that the documentation and user controls provided to users are inadequate given the volume of data and variety of services that can be targeted at users.

While the fine is far short of the largest sanction that can be imposed under GDPR (4% of annual revenue), it does highlight a complexity that many firms may still be unprepared for — namely, the Article 15 “Right of Access” requirement that mandates a response to user inquiries within 30 days. Large quantities of user data + many data-driven ad services to fulfill = big problems!

In fact, British research firm Talend studied personal data requests made to 23 companies operating in the UK, and found that only 17% of companies complied within the 30-day time period required to respond to requests, while another 9% gave incomplete or delayed responses.

As for Mr. Schrems, his activist firm Noyb has since filed eight additional Right of Access cases against the likes of Apple Music, Spotify, and YouTube. Of these, two requests were not fulfilled within the 30-day window, while four produced data that was only partially intelligible.

Clearly, what constitutes “consent” for public social media providers whose business models are driven by advertising revenue is a complicated process. As noted in the Google case, simply updating documentation or adjusting user controls may not be sufficient. Achieving consent under GDPR requires transparency in how user data will be used, which does not always reconcile with the goals of their advertisers. This will be a long road for most ad-driven social media providers without fundamentally rethinking their revenue models as well as technology they use to anonymize user data.

For organizations that capture and store user data for a specifically defined purpose, the same transparency and strict Right of Access rules under GDPR also apply, but the consent process may differ. Take banking, for example. In this case, regulations including MiFID II require that banks capture all communications with clients that lead up to a specific business event – specifically, the purchase or sale of a financial product. Financial advisors are allowed to use specific communications tools with the understanding that those communications will be captured and supervised to meet MiFID II requirements. The GDPR obligation now falls on the bank to make sure that those stored communications are used for no other purpose — and must be able to prove so if a client opens an Article 15 Right of Access request. 

In the end, regardless of whether a business is driven by ad revenue or is capturing and storing user data for a specific business purposes, transparency and speed are central attributes to any firm’s ability to meet their GDPR obligations. Firms must be explicit in stating how personal data is being used, and they must have systems allowing them to respond quickly to Article 15 requests. For some, it will be an Achilles heel. For others, the prioritization of data privacy will be an on-going source of differentiation and ability to build stronger trust with your customers.