It was only a matter of time but Google has been fined a record €50 million (£44 million / $57 million) for breaching those EU data protection rules we've all talked so much about, GDPR.

The fine is essentially for failing to have a lawful basis on which to process personal data and is the result of complaints filed by two privacy rights groups the day GDPR came into force last year.

In case you are unaware, there are six lawful bases for processing data - consent, performance of a contract, legal obligation, vital interests, public task and legitimate interests. The organisation needs to determine which basis they will apply prior to the processing of any data and ensure they follow the requirements associated with that basis.

Like many organisations, Google had chosen 'consent' as its lawful basis for its Google Ads service (previously known as Adwords) but the Regulator decided that there was no clear consent - essential information required in order to make the decision is spread across several documents. Not only that, the consent was requested 'for all processing activities', for example ads personalisation, speech recognition etc., when consent should be obtained separately for each activity.

What's more, the consent option to personalise Google Ads when setting up a Google account is currently pre-ticked. Tut, tut, Google. That is definitely not allowed under GDPR and was considered bad practice even before GDPR came into force.

Naturally, Google is set to appeal the fine, but what does it mean in the meantime for organisations who use Google Ads as a channel to promote their business, products or services? Right now, it's business as usual for those of us who utilise the channel; it may mean some changes to how it works in future but, more likely, Google will amend how they gain consent so business can continue as it does now.

If your organisation uses 'consent' as its legal basis for processing personal data, here's a quick reminder of some key points to bear in mind:

  • 'Consent' is an ongoing activity - people should be able to withdraw it at any time
  • The organisation must record that consent has been provided
  • It is NOT acceptable to bundle consent with other terms and conditions
  • 'Consent' should be 'specific' and 'granular' - people should be able to consent to some things and not others

Need to brush up on your GDPR knowledge? Take a look at accounting cpd's 'GDPR: Implementation and Beyond' - an online CPD course written by the author of this blog.

This blog was written by Becky Reid, Tattoo Ink Marketing.