Discussions about GDPR have not subsided to this day. What is it? Who’s in? What to do? We answered these and other questions in our previous post. Also, you can find a GDPR compliance checklist there to make sure your website or other online presence meets the not-so-new rules of personal data processing.
QAwerk works with clients all over the world, and half of them are from EU countries. We fall under GDPR as we are a software testing outsourcing company that interacts with European citizens, and our company should ensure the safe collection, processing of personal information and indicate purposes of its usage. Initially, our team had attentively explored new rules by official documents and dozens of articles, then we prepared a plan and made changes to our website according to the requirements. During our study, we, of course, were reviewing how other companies were following GDPR and were disappointed by the fact that almost nobody was doing anything about it.
Despite that GDPR regulation came into force since May 25th 2018, the overwhelming majority of web services did not take seriously this innovation. As a result, they received hundreds of lawsuits from users and were fined large amounts. According to the law, in case of non-compliance with GDPR rules, late notification about data leakage or infringements of personal data collection and processing, the company should pay a fine at a rate of up to 20 million euros or 4% of the year’s profit.
Where did breaches happen?
For the last year, more than 95,000 complaints were received across Europe, and the largest number of reported breaches were in the Netherlands, Finland, and the United Kingdom. More than 500 million people were affected by huge data breaches at British Airways, Marriott and Quora companies. Such famous companies as Uber, Facebook, and Equifax have also received fines for violation of GDPR rules.
How much were fines?
Fines issued during the year reached €56 mln in total, and, what’s the most impressive is that €50m of this sum is a fine for Google from CNIL French data protection watchdog. CNIL claimed that Google had breached GDPR failing to meet transparency and information requirements and had failed to gain valid consent to process users’ personal data for ads personalization purposes. To date, it is the biggest fine handed out for GDPR violation as in other cases they were ranged from €5 to €400 000.
In October 2018, Facebook was fined £500,000 for the data transfer of 87 million its users for political advertising purposes without their sufficient consent. The data was collected through the quiz app, developed by the professor of Cambridge University, that received permission from users to process their personal data and data about their friends. The Facebook company was accused of allowing application developers to access user information without sufficient consent and inability to secure personal information.
In 2018 the same fine was imposed on Equifax, data analytics and technology company. Hackers stole personal information and financial data of 15 million UK citizens after the failures that led to data vulnerability to unauthorized access.
The latest GDPR violation has recently been committed by Pregnancy club Bounty UK. It was found that the company had collected personal data of more than 14 million people from its website, mobile app, merchandise cards and had been illegally sharing it with third parties like credit reference and marketing agencies without people awareness. Bounty UK was fined £400,000 for the sharing of about 34.4 million records.
It is safe to say that GDPR impact continues to gain strength in 2019, as it has already made people think about the processing and protection of their personal data. For the company of any size, multi-thousand fines can be a big loss, so it is better to comply GDPR and feel calm when doing business with anyone.
QAwerk has decided to test 11 well known design tools and compare how much they comply with new rules. Based on the checklist that we developed specifically for GDPR compliance testing, we’ve got the following results:
| Element |  |  |  |  |  |  |  |  |  |  |  | % of Y |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Asking for consent | ||||||||||||
| Check-box, hyperlink to Terms and Conditions and its page |   |   |   |   |   |   |   |   |   |   |   | 80 |
| Check-box, hyperlink to Privacy Policy and its page |   |   |   |   |   |   |   |   |   |   |   | 70 |
| opt-in/opt-out options |   |   |   |   |   |   |   |   |   |   |   | 10 |
| Age check |   |   |   |   |   |   |   |   |   |   |   | 0 |
| Personal data | ||||||||||||
| Registration page with minimum data collection |   |   |   |   |   |   |   |   |   |   |   | 70 |
| Login page (+ social network access) |   |   |   |   |   |   |   |   |   |   |   | 100 |
| Subscribe/Unsubscribe options |   |   |   |   |   |   |   |   |   |   |   | 40 |
| Edit account option |   |   |   |   |   |   |   |   |   |   |   | 100 |
| Delete account option |   |   |   |   |   |   |   |   |   |   |   | 40 |
| Restrict Processing Mode option |   |   |   |   |   |   |   |   |   |   |   | 10 |
| Export Data option |   |   |   |   |   |   |   |   |   |   |   | 10 |
| Technical data | ||||||||||||
| Two-factor authentication (2FA) |   |   |   |   |   |   |   |   |   |   |   | 0 |
| HTTPS protocol (works and up-to-date) |   |   |   |   |   |   |   |   |   |   |   | 100 |
| Cookies policy |   |   |   |   |   |   |   |   |   |   |   | 30 |
As you can see, 100% of tested tools have login page with social network access, option to edit account and work through the HTTPS protocol; approximately 70-80% of websites ask for consent and have an agreement check-box and hyperlink to Terms and Conditions and Privacy Policy pages, as well as collect minimum data on the registration page; about 30-40% of tools have cookies policy, subscribe/unsubscribe options and option to delete an account; only 10% of websites have opt-in/opt-out options, restrict processing mode and export data options; none of the tested websites checks the age of users and has a two-factor authentication.
For non-compliance with at least one of the GDPR rules, companies have all the chances to receive users complaints about their website and draw the attention of European data protection agency that has authority to issue a fine. All in all, looking back the experience of other companies, it is better to check your website once and for good to be sure in compliance and transparency, than get into unpleasant situations that entail financial losses and harm thousands of users. Especially since QAwerk has a recipe on how to be GDPR compliant and we are always ready to help you with this.
