12th July 2018
When GDPR came into play on 25th May 2018, so did enormous fines for breaching its rules. The maximum fine of 20 million euros is reserved for the most severe of breaches, whereby companies flagrantly disregard the regulation – something that Facebook have done alongside Cambridge Analytica…but luckily for them, before GDPR was implemented.
The data scandal involved the collection of personally identifiable information belonging to 87 million Facebook users that Cambridge Analytica, a British political consulting firm, started collecting in 2014. Politicians hired Cambridge Analytica in an attempt to use the data to influence voter opinion, and after this surfaced the public outcry promoted Facebook to apologise.
It transpired that the data had been ‘obtained improperly’ and ‘improperly shared’ by Facebook, and that despite Cambridge Analytica saying the questionable data had been deleted, some of it was still in circulation this April.
As the timing of the breach was before 25th May, the ICO said it was ‘unable to levy the penalties introduced by GDPR’, meaning that Facebook are receiving the maximum penalty of £500,000 as dictated by the Data Protection Act 1998, rather than GDPR’s maximum penalty of €20m.
We are sure that Facebook are breathing a sigh of relief, as they have escaped a multi-million pound fine by the skin of their teeth. In fact, in the first quarter of 2018 Facebook brought in $11.97billion in revenue, so the £500,000 fine only equates to 5.5 minutes of their time. So they’re safe this time in terms of money. However, Elizabeth Denham, Information Commissioner has said, “It is important that the public are fully aware of how information is used and shared…and the potential impact on their privacy”. Therefore Facebook’s reputation certainly comes into question here, as well as the trust the general public puts into the website.
Indeed, in the wake of the Cambridge Analytica scandal, a survey in the USA revealed that 17% of respondents had removed the Facebook app from their phone whilst 9% deleted their Facebook account altogether.
The fine incurred and the dented reputation of Facebook should serve as a GDPR warning to us all. The ICO have made it clear that if the breach had happened after May 25th the maximum penalty would have been served.
There has never been a more pertinent time to audit every aspect of your business to ensure that it’s GDPR compliant, from your computers and your filing system to your HR and your payroll. A €20m fine would damage most companies beyond repair, and reputational damage could do the same – 9% of American users deleted Facebook following the breach. Could you cope if suddenly you lost 9% of your customers and the news was plastered with stories of you mishandling their data?
Learn from Facebook’s mistakes, don’t fall victim to the same ones.