Mark Zuckerberg has not had a good couple of weeks at the office. The revelations that Cambridge Analytica misused the data provided to it by Facebook, but that Facebook also failed to alert its users to this misuse (and allegedly didn’t have adequate controls in place in the first place), has left him at best rather red faced. As businesses of all shapes and sizes prepare for compliance with the General Data Protection Regulation (GDPR) in time for the looming May 25th deadline, this scandal that has dominated headlines in recent days brings into sharp focus the catastrophic effects of failing to have in place adequate data policies and of data falling into the wrong hands. It also brings the role of data controllers closely under the spotlight.
The requirements of GDPR are a hot topic and one that isn’t likely to disappear any time soon; the Facebook debacle only serves to further illustrate this. For any business that comes into contact with personal data, (which will be most!) real preparation is key. It will not be enough to give data policies a cursory update and then hope to stay under the radar of the Information Commissioner’s Office (ICO).
While the Facebook fiasco may be an extreme example, it demonstrates perfectly how things can quickly spiral out of control; what started with the collection of the data of 270,000 users ended with over 50 million Facebook users being affected. It is therefore imperative that data controllers understand clearly their duties under the new regime but (and possibly even more importantly) that they are also responsible and accountable for how any data is processed on their behalf by third parties.
Data policies must be robust enough to ensure that data is protected all the way down the line. It is not sufficient to shrug shoulders and say ‘we did our best but they still breached our terms’; policies should include measures in order to ensure that this does not happen and if it does, swift and effective action must be taken.
While the increased fines under GDPR – the higher of 4% of turnover or €20million – are probably the most talked about and attention grabbing of the upcoming changes, the slide in Facebook’s shares (currently knocking around $30 billion off its value) demonstrates that businesses found to be in breach could be left counting a far greater cost – in the form of damage to their reputation.
In a society where sharing our personal data widely is just a fact of life, data protection is not just about complying with regulations but also maintaining public trust and opinion. Only time will tell where this scandal will end for Facebook and while still much is unknown about GDPR and is unlikely to become clear until many months after the May deadline, it seems certain that it will continue to be a talking point for weeks to come and that information controllers will remain under the close scrutiny of the ICO for far longer.
To consult with Jessica, please submit an enquiry for a free 15-minute consultation or call our friendly team today on 020 7148 1066. If you want to find out more about the GDPR and how to ensure your business is compliant, register here for our upcoming GDPR webinar on Weds 18th April 2018. Please be aware that spaces are limited!