The General Data Protection Regulation (GDPR) came into effect several months ago, threatening to change the way organisations look after data forever. The run up to the regulation taking effect, on May 25th, saw headlines that promised huge-fines, major overhauls and organisations panicking to delete data. In reality, since the GDPR has become fully effective there have been no major incidents for the ICO (Information Commissioner’s Office) to deal with.
Well documented, the ICO now has the ability to levy a financial penalty of up to £17 million or 4% of global revenue, whichever is higher, for a major breach. However, the ICO has shown in the past a reluctance to fine organisations and would rather issue an enforcement notice or an undertaking.
An enforcement notice or an undertaking when issued by the ICO, or another supervisory authority, means that organisations must take action to improve data protection or run the risk of a fine. An undertaking commits an organisation to a particular course of action to ensure compliance while an enforcement notice means an organisation must take (or not take) specified steps to comply.
Fines under the previous Data Protection Act, could be levied up to £500,000 and the ICO only ever issued fines of £400,000 a handful of times. Fines are justified by the level of the breach that has occurred, with the largest and most serious breaches receiving larger fines. With the multitude of threats that organisations face, how long will it be until the first mega-fine under GDPR occurs?
Facebook put themselves at risk
Facebook is one of the world’s most well-known organisations and love them or hate them, you’ve heard of them. Public opinion in 2018, has taken a down-turn for the company as data protection is at the forefront of more people’s minds and they have continually failed to protect highly sensitive user data. This failure has prompted changes for the company, with founder Mark Zuckerberg publicly apologising for the company’s failings. As expected, breaches have also prompted investigations by regulatory authorities including the ICO.
In early 2018, it was revealed that a major data breach had occurred relating to the misuse and collection of user data held by Facebook. A number of allegations into how data was collected and used arose, much of which had ties to political issues in 2016 such as the US presidential elections and the Brexit vote in Britain. Cambridge Analytica was at the heart of allegations as one of the organisation who harvested user data. The organisation was able to access user data through a number of applications including quiz app ‘This is your digital life’, however due to a loophole in Facebook’s API (Application Programming Interface) the designers of the app could then view and access data of friends of users of the app. It is estimated that over 50 million users of Facebook had their personal data collected in this manner.
This breach fell under the Data Protection Act (DPA) and therefore Facebook avoided the potentially huge financial penalties of the GDPR. The ICO however did fine the company the maximum amount under the DPA of £500,000 although with Facebook earning this amount in revenue in under 10 minutes in the first quarter of 2018 it potentially acts of more of a future warning than financial burden.
Under the GDPR Facebook could have faced a fine of up to £1.4 billion.
Elizabeth Denham, the Information Commissioner, commented on the fines, saying:
“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act… Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system… This was a very serious contravention, so in the new regime they would face a much higher fine.”
First of the mega-fines
Now that the GDPR is well in effect organisations face the possibility of a seven-figure fine for non-compliance. However, it remains to be seen what circumstance this fine may come under. The ICO may look to set an early example if a breach occurs in the remainder of 2018 or they could keep fines more closely in line with previous fines, only crossing the barrier to millions when the most serious offenses occur.
On-going compliance with the GDPR and data protection laws is a must for all organisations. Not only will compliance help with organisations to avoid hefty fines should a breach occur but will also help to strengthen protection and minimise risk of a breach. Download the whitepaper to learn more about on-going compliance with the GDPR now. Download here.