Countdown To GDPR: Google Advises Partners About Disclosure, Consent

Dan Gunderman

In less than two months, the EU’s most significant data privacy regulation in decades will become enforceable.

The General Data Protection Regulation (GDPR) not only strives to return a measure of data ownership back to citizens, but it also has teeth – as it can fine EU-data-handling enterprises up to 4% of annual turnover for noncompliance.

The measure – subject of the Cyber Security Hub’s March Market Report – was approved April 14, 2016 and given a two-year grace period before taking effect. This meant that enterprises handling EU data had ample time to become compliant. Some cyber experts suggest that many multinational companies have taken action to reach compliance for the deadline. For other organizations, however, what they don’t know could spell steep financial fines.

The scope of the GDPR makes it signature legislation – the likes of which arguably haven’t been seen since the Data Protection Directive 95/46/EC, approved Oct. 24, 1995. The Directive’s attempts to regulate the fledgling Internet were both crucial and enduring. Many of the same principles have carried over into the GDPR – which now takes into account the proliferation of smartphone technology, plus the Internet of Things (IoT) and cloud computing.

Outside of significant fines, the GDPR also loops in all organizations that handle EU data, even if they reside outside of EU jurisdiction. Breach notification principles are revamped in the GDPR – meaning notification must be done within 72 hours of becoming aware of the incident.


Cyber expert, TV commentator and author Adriana Sanford previously told the Cyber Security Hub that the breach notification components of the GDPR will heighten visibility for affected enterprises within the EU, and because of social media and the 24-hour news cycle, will be equally visible for organizations within the U.S.

Data subjects also have the right to know where the data resides, and the GDPR affords them the “Right to be Forgotten” – so, parties can have their data scrubbed. Other highlights include “Privacy By Design” (security can and should be baked into the orchestration process), and the right to transmit data. Perhaps the most crucial element of the GDPR includes the appointment of a Data Protection Officer (DPO) to handle data monitoring.

On whether these larger measures can be effective, drive change and streamline governance, risk management and compliance (GRC) processes, Sanford said, “If citizens and countries don’t work together, we can’t prevent borderless crimes. (Criminals) can go to places where the laws are lax. There, it’s difficult for us to do anything.”

Giving his take on the GDPR’s impact on the global ecosystem, Senior Program Manager for IT Security, Jamal Hartenstein, said that in the U.S., more exacting laws at the state level could emerge.

“I imagine some companies may (also) do what Ford did with the Pinto,” Hartenstein previously told the Cyber Security Hub. “Ford was aware of the dangers their product posed to consumers, but it was cheaper to pay the penalties than the cost to make it safe.”

GDPR MMR Callback Story Google Partners Compliance

Photo: Annette Shaff /

Google's Stake In GDPR

What’s more, Google made headlines last week after emailing their partners about precautionary measures for the GDPR rollout.

According to Search Engine Roundtable, Google emailed partners including AdSense publishers, Admob advertisers and others about their “responsibilities for making disclosures to, and obtaining consents from, end users of (their) sites and apps in the EEA (European Economic Area).”

The same report notes that Google wrote: “Google’s EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR.” This policy is incorporated into the contracts for most Google ads and measurements products.

The company said it has also been rolling out updates to its contractual terms for products “since last August.” This reflects “Google’s status as either data processor or data controller under the new law,” the partner message reads.

Under “Product Changes,” the tech giant wrote that it will be “launching new controls for Google Analytics customers to manage the retention and deletion of their data.” Also, Google aims to explore “consent solutions for publishers, including working with industry groups like IAB Europe.”

With the GDPR measure now weeks from implementation, it is clear that global corporations are taking vast measures to be compliant! Stay tuned to for more GDPR-related content.

Be Sure To Check Out: CISO Calls For Sweeping Policy Changes To Address Cyber Concerns