Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
13 March 2019

Google’s GDPR fine: a reminder that non-compliance is not an option

Previously, there has been significant focus on the fines being associated with unlawful disclosure of personal data. The current Google fine was much more concerned around the Privacy by Design principle of lawfulness, fairness and transparency. Individuals felt they were not clearly informed on how Google was using their data and did not feel they were given the ability to provide specific consent to various processing activities.  

However, although branded the ‘largest GDPR fine to date’, the financial impact on the global technology firm will be insignificant in comparison to the maximum fines reaching 4% of annual turnover. With annual revenue equating to over £100 billion last year, the £44 million fine is 100 times smaller than the maximum - which should help put it in perspective for other organisations. Whether Google wins the appeal to avert the fine or not, it is important to remember the compliance goalposts remain unchanged. Rather, the incident demonstrates that authorities can stand against these ‘untouchable’ global corporations to ensure data subject rights are met.


A key point to remember is the guidance that resonates throughout the legislation: implement appropriate technological and organisational controls for the data you process. Google, as a global, multi-billion dollar company with a business model based on processing data will have higher levels of security standards expected of it compared to other organisations. This does not mean smaller enterprises can disregard data protection; rather they can be pragmatic and risk conscientious based on the nature of their processing. A company that predominantly engages in business-to-business transactions, while likely to require less effort in their everyday activities than an organisation with a consumer focus, would still prioritise the handling of personal data for internal HR processes for example.


For any organisation, getting the basic foundations of their GDPR programme accurate and complete can help address these non-compliance issues. Article 30 requires a complete personal data processing inventory that outlines important information such as the nature of the processing, lawful basis and retention periods.  By clarifying these important points, it is possible to identify where consent is required for various purposes. Further, it clearly maps out what needs to be included in the privacy notice.


At a higher level, it can provide the basis for a vulnerability assessment to identify where to prioritise efforts. This initial analysis should translate into a layered approach of appropriate data protection controls, ensuring they can be demonstrated and justified, based on risk, to the individual.  On implementation of appropriate controls, the implications on the individual if the personal data was breached need to be considered. Data such as religion and ethnic origin can create prejudice, judgment and potential risk of abuse if it is exposed and therefore requires strong access restrictions to be applied, which may also necessitate anonymisation techniques.  These levels of controls are neither appropriate nor practical for personal data that is less sensitive.


There are various access governance and segregation of duties tools that can help towards GDPR compliance. Through the development of a GDPR access rule-set, various data privacy access risks can be defined, which provides full visibility of who violates the various data privacy risks and whether this access is lawful. These can be assigned to varying risk levels so that the organisation can implement appropriate mitigating controls based on the risk to the individual. To ensure on-going compliance objectives are being met, a process should be implemented to review and monitor these control activities on a periodic basis.

In summary, the GDPR objective remains unchanged: to protect the rights of individuals when processing personal data. Rather than seeing the Google fine as a scaremongering tactic: it should educate other organisations to ensure they don’t fall into the same non-compliance concerns.


If you want to learn more, why not check out our comprehensive guide on Privacy by Design for the GDPR? Just click on the image below. 



TK_Thumbnail_Privacy by Design1-min (1)