When Irish regulators recently fined Instagram 405 million euros for violating children's privacy, under the GDPR regulations, it signalled yet another step in the move towards holding all organisations to account, wherever violations were identified. The long-running complaint, in this instance, concerned children's data, particularly their phone numbers and email addresses. Some are said to have upgraded to business accounts to access analytics tools, such as profile visits, without realising this made more of their data public. Instagram owner Meta (formerly Facebook) has said it planned to appeal against the decision. It is the third fine handed to the company by the regulator.

As for the biggest GDPR-related fine to date, this was meted out to Amazon: a massive €746 million, announced in the company's July 2021 earnings report, which was almost 15 times greater than the previous record at that time. The fine was imposed by Luxembourg's National Commission for Data Protection, which claimed the tech giant's processing of personal data did not comply with EU law. Amazon has lodged an appeal against the fine, only referring so far to a previous statement in July that "there has been no data breach, and no customer data has been exposed to any third party".

STRICT MEASURES ESSENTIAL
According to Dan Middleton, vice president UK & Ireland at security company Veeam, the news that Ireland's Data Protection Commission has issued the second largest GDPR fine in history drives home the critical importance of adopting strict data manage-ment and protection measures. "While it is by no means unique in this situation, the photo-sharing platform involved has changed its approach to data protection since the issues that led to the fine took place. However, this case demonstrates that past data management decisions have implications not just for the time at which they are made, but into the future. Decision makers need to be aware of any consequential issues that can arise when it comes to protecting and managing users' data.

"Businesses must place data integrity, security and resilience at the heart of their operations to severely reduce, if not avert, the risk of their own and their end users' data being exposed to unwelcome consequences," adds Middleton. "Not only will this prevent hefty fines, such as those issued by the DPC, but it will ensure that their reputation doesn't suffer as a result of a management error or data protection oversight.

"When companies are entrusted with their customers' sensitive data, there are no measures that go too far. They must be aware that they are custodians of any data they collect, process and use, and it is therefore their responsibility to ensure that this data is protected. This needs to go beyond a simple box-ticking exercise to ensure GDPR compliance, and instead a business-wide culture of transparency and responsibility must be adopted. When it comes to data protection, this should include a full business continuity strategy that includes resilience measures, along with secure, immutable backups and disaster recovery solutions that can be drawn upon, if data is maliciously accessed."

WHATSAPP ALSO HIT HARD
Last year, the DPC fined WhatsApp 225 million euros, at that time the largest fine ever from the commission and the second highest under EU GDPR rules. Facebook (now Meta), which also owns WhatsApp, has its EU headquarters in Ireland. The fine relates to an investigation that began in 2018 about whether WhatsApp had been transparent enough about how it handles information. The issues involved were highly technical, including whether WhatsApp supplied enough information to users about how their data was processed and if its privacy policies were clear enough. Those policies have since been updated several times.

"WhatsApp is committed to providing a secure and private service," a company spokesperson said at the time, as reported by the BBC: "We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate." GDPR rules allows for fines of up to 4% of the offending company's global turnover.

Clearly, the GDPR is proving effective, with the large fines administered so far to some big-name companies proving a reminder and deterrent to others when it comes to responsible management of data. All of which underscores the seriousness of purpose with which the regulations were planned. More than four years down the line since the regulations came into force, it's worth looking back at how they were structured and the European Commission's take on how effective they have proved since.

First off, the European Commission accepts that most of the issues that are identified by Member States and stakeholders will most likely benefit from more experience in the application of the Regulation in the coming years. "Increasing global convergence around principles that are shared by the GDPR offers new opportunities to facilitate safe data flows, to the benefit of citizens and businesses alike," it states.

IMPROVEMENTS WITH GDPR
Businesses, including SMEs, now have just one set of rules to which to adhere. "The GDPR also creates a level playing field with companies not established in the EU but operating here. By establishing a harmonised framework for the protection of personal data, the GDPR ensures that all businesses in the internal market are bound by the same rules and benefit from the same opportunities, regardless of whether they are established and where the processing takes place. In addition, privacy has become a competitive quality that customers are increasingly taking into consideration when choosing their services. For SMEs, the implementation of the right to data portability has the potential to lower the barriers to entry to data protection friendly services. Compliance with the data protection rules and their transparent application will create trust between business and consumers when it comes to the use of their personal data."

NEW TECHNOLOGIES
The GDPR is seen as an essential and flexible tool to ensure the development of new technologies, in accordance with fundamental rights. "The implementation of the core principles of the GDPR is particularly crucial for data intensive processing. The risk-based and technology-neutral approach of the Regulation provides a level of data protection, which is adequate to the risk of the processing also by emerging technologies."

The GDPR's technologically-neutral and future-proof approach was put to the test during the COVID-19 pandemic and has proven to be successful. Its principles-based rules supported the development of tools to combat and monitor the spread of the virus. The future-proof and risk-based approach of the GDPR is also being applied in the EU framework for Artificial Intelligence and in the implementation of the European Data Strategy, aimed at fostering data availability and at the creation of Common European Data Spaces.

GLOBAL PROTECTION STANDARDS
The GDPR has emerged as a reference point and acted as a catalyst for many countries and states around the world considering how to modernise their privacy rules. International instruments, such as the modernised 'Convention 108' of the Council of Europe or the 'Data Free Flow with Trust' initiative launched by Japan are also based on principles that are shared by the GDPR. This trend towards global convergence brings new opportunities for increasing the protection of Europeans, while, at the same time, facilitating data flows and lowering transaction costs for business operators.

The GDPR offers a modernised toolbox to facilitate the transfer of personal data from the EU to a third country or international organisation, while ensuring that the data continues to benefit from a high level of protection. "This continuity of protection is important, given that in today's world data moves easily across borders and the protections guaranteed by the GDPR would be incomplete, if they were limited to processing inside the EU. The toolbox includes actively engaging with key partners with a view to reaching an adequacy finding and yielded important results such as the creation between the EU and Japan of the world's largest area of free and safe data flows. Ongoing work also concerns other transfer mechanisms, such as standard contractual clauses and certification, to harness the full potential of the GDPR rules on international transfers."

What is all too clear from the sizeable fines that were imposed on Instagram and others is that data protection authorities are making use of a wide range of corrective powers provided by the GDPR, such as administrative fines, warnings and reprimands, orders to comply with data subject's requests, orders to bring process-ing operations into compliance with the Regulation, to rectify, erase or restrict processing. Nor is it all about fines as a means to keep businesses in line. As the EC states: "The GDPR also provides for a broader palette of corrective powers. For example, the effect of a ban on processing or the suspension of data flows can be much stronger than a financial penalty."

CHANNEL 4 - TOTAL VISIBILITY
One organisation intent on ensuring it meets its GDPR obligations is Channel 4, which is said to be saving its security department thousands each year after partnering with Invicti Security to gain complete visibility into its web assets.

As part of protecting the information it collects, in line with regulations such as GDPR, Channel 4 - which operates the UK's biggest free streaming service, All 4, plus a network of 12 television channels - needs to secure vast amounts of information, including the data of 24 million All 4 subscribers, as well as staff details, and all of its intellectual property and be able to demonstrate that this data is safe and secure.

As a large organisation with thousands of web assets, security was previously a complex and expensive task, involving numerous penetration tests with multiple third parties, costing significant sums to the business. "We would perform a penetration test and after getting the results, we'd have to fix the issue and then pay for another penetration test," says Channel 4 CISO Brian Brackenborough. "That could be quite a cycle depending on how complicated the particular project was."

Channel 4 now uses Invicti to gain visibility into whether websites are collecting personally identifiable information (PII). It can then perform vulnerability scans and penetration tests on those websites. The efficiency gains and cost savings are clear: partnering with Invicti saved Channel 4 thousands in the first year alone. "The budget, which we were spending every year on penetration testing, decreased approximately 60%. The following year, it decreased close to 80%," he adds.

Using Invicti, Channel 4 can start performing automated and continuous penetration tests or vulnerability scans against systems at certain milestones of a project to make sure it stays on track. It allows Channel 4 to catch any issues early on in the process, prioritising vulnerabilities that put the organisation at risk, so it can fix them with less manual effort.

"That makes our lives a lot easier and allows us to ensure we are delivering projects on budget and on time," says Brackenborough.