With the introduction of the General Data Protection Regulation (known as “GDPR”) now just 2 months’ away (25th May), the news this week regarding Cambridge Analytica and the Facebook data breach involving data of approximately 50million Facebook users, should be a lesson to every business of the real risks under GDPR.
Most of the talk about the changes under GDPR has related to the significant increase in fines which are going up from the current maximum of £500,000 to €20m or 4% of global turnover if higher. Given Facebook’s annual revenue for the 12 months to 31st December 2017 was just shy of $40bn, the maximum fine that could be imposed under GDPR could be somewhere in the region of $1.6bn or circa €1.3bn – a truly eye-watering amount.
However, whilst the forthcoming increase in fines has grabbed most of the headlines surrounding GDPR, there has been a significant amount of scaremongering around these. According to the most recent annual report from the Information Commissioner’s Office (the “ICO”), only 16 civil monetary penalties (i.e. fines) were issued during the year 2016/2017. As such the ICO very much sees fines as an absolute last resort or reserved for cases where there has been a large volume of data compromised (think TalkTalk).
However, as Elizabeth Denham, the Information Commissioner, correctly pointed out when being interviewed this week on Channel 4, Facebook, as a private sector organisation, currently has no obligation to report data breaches. This will change under GDPR come the 25th May and for me, this is the most significant change GDPR introduces.
The reason for this is that having to positively report a data breach puts you on the ICO’s radar. If any action is then taken by the ICO as a result of that data breach, you run the risk that you will be “named and shamed”. Additionally if the breach is one that constitutes a “high risk to the rights and freedoms of individuals” you may also have to inform those individuals direct – imagine a letter on your company letterhead arriving on an individual’s doormat telling them that your organisation has compromised their data potentially putting them at risk of identity theft or financial fraud.
These in turn pose a significant risk to the reputation of your organisation, especially in the current age of digital media where news spreads far and wide almost instantly – before you know it a photograph of that letter will be on platforms such as Twitter, Instagram and (ironically) Facebook being shared, liked and retweeted endlessly. If your organisation is then seen as one that can’t be trusted to keep data secure, you will lose existing customers, struggle to attract new customers and struggle with commercial relationships (wherein Facebook’s case its model relies almost entirely on the income from advertisers).
So what is the cost of this…
Looking at what has happened to Facebook in the 2 days since the breach was announced. Firstly we have seen the social media campaign #deletefacebook gathering pace seeing numerous users delete their accounts – something significant for a business based on user numbers and the amount of time spent on the platform by users. Secondly, and more importantly, the shareholders/investors have reacted and in the first 2 days since the Cambridge Analytica story broke, more than $50bn dollars has been wiped of its share value – a fall of over 9% based on one news story, and a fall in value which is more than the entire value of the Ford motor company – a staggering statistic by any standards and one which makes the potential €1.3bn fine under GDPR a mere comparative drop in the ocean.
Whilst GDPR compliance has a financial implication in the shape of potential fines, don’t discount the reputational and consequential financial damage that can be caused by not being able to look after data.
If you need any assistance in relation to GDPR compliance and implementation, please do not hesitate to get in touch with Christian Mancier from Govins Solicitors via email@example.com or 0161-930-5117.