Much has been written about the ongoing data scandal surrounding tech giant and social media powerhouse, Facebook. As CEO and Founder Mark Zuckerberg answers questions in front of Congress in the US, the argument as to why so many peoples’ data was able to be accessed rages on. The Social media site, which has some reported 2 billion users, has been increasingly under fire following the announcement that data of more than 50 million users was accessed; there are accusations stating that personal data was then used to target users with political advertising around the US presidential election which saw Donald Trump become president.
In Europe, Facebook has been at the centre of a number of data related incidents over the last few years, often accused of not doing enough to comply with data protection laws and facing fines because of it. With the General Data Protection Regulation several weeks from becoming active law in Europe, Facebook could be in line for further fines in the not too distant future.
The GDPR allows regulatory authorities to issue a maximum fine of €20,000,000 or 4% of global revenue for the most severe data breaches. With the most recent breach hitting over 50 million users, many of which are EU citizens, this would classify as a severe breach; In 2017 Facebooks reported global revenue was $40 billion, a fine of 4% would be around $1.6 billion.
Data protection, fine or not?
With data protection at the forefront of the minds of IT staff across Europe and the rest of the world, many organisations will be improving processes and trying to ensure they do not face the risk of a large data breach leading to a hefty fine. The Information Commissioner’s Office (ICO) is the regulatory authority for the UK and will be responsible for issuing any fines for non-compliance with data protection laws when the GDPR comes into place; in 2018 alone they have given fines totalling £1,913,000 one of which was a £400,000 fine for Carphone Warehouse, the largest fine ever given by the regulator.
To comply or not to comply
The General Data Protection Regulation is a European law which will uniformly come into effect across EU states on May 25th, 2018. However, the regulation effects all organisations dealing with individuals or organisations within the EU, so organisations across the globe are affected. Unfortunately for some, they may not yet be aware of this, the impending deadline and the fines they could be hit with should they lose EU customer data. One such firm is American based ICANN, a database organisation operating as a not-for-profit. The organisation seemingly did not realise that GDPR will affect them and while many of their customers are based in the US, individuals often register domains from Europe, placing the organisation in the scope of the regulation.
In a statement released by the organisation they have outlined the process they will be taking to become compliant, however with large amounts of work to do it is likely that the deadline is going to be missed with some work needing between 3 months and a year to complete.
Organisations who process data will have to ensure compliance with the regulation and as one of the main goals of the regulation is to ensure the protection of personal information this is vital. Data controllers will also have to ensure higher levels of due diligence to ensure they are working with processors who are compliant and will not introduce added risk that could result in a data breach.
Article 32 of the regulation outlines the necessary security around processing data.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
The article goes on to state several of the recommended methods of protecting data including data pseudonymisation and encryption. As a processor of data, Redstor ensures the highest levels of security around data ensuring data is encrypted always, mitigating the risk of unauthorised access. In addition, Redstor has processes in place to ensure security, minimise the risk of data loss and give users data availability on-demand.
To find out how Redstor can assist you in compliance with the GDPR get in touch.