Whatever happened to our darling Google? The company that once had the motto “Don’t be evil” seems to have changed it to “Shhh… Don’t tell anyone.”
In a blog published on October 8, Google announced it was closing Google+ because of a software glitch it had known about since 2015 and which allowed outside developers to access people’s profile data. Google fixed the issue in March of 2018, but the team involved and the Google CEO decided not to notify anyone.
So now Google joins the ranks of Facebook, who recently reported a data breach that affected 50 million users. While the scale of the Facebook breach is undoubtedly more significant, Facebook did immediately own up to the breach whereas Google chose not to. That may be somewhat impacted by timing. The Google breach occurred before the GDPR came into effect whereas the Facebook breach came afterwards.
Google obviously wanted to avoid negative press and public scrutiny. But because the breach occurred before the GDPR came into effect, Google will most likely not be liable for the fines that it would now be liable for under the GDPR.
What these two recent breaches do tell us is that regulation is necessary to get large Internet companies to act responsibly in helping their users control and understand what’s happening with their personal data. These Internet giants have been looking out for their best interests and not their customers. Now that the GDPR is here, with its threat of fines and the heightened awareness it brings to data protection for companies and individuals, it seems this is all beginning to change.
The message to companies is pretty clear now: protecting your customers’ data is the same as protecting your company. Don’t hide your breaches, log them, and if you need to report them make sure you do so, within 72 hours, to the ICO or whoever your supervisory authority is. It’s one of many services the application provides to ensure you’re protecting your customers’ data and complying with the GDPR.