Facebook Data Breach: lessons for UK businesses

Facebook Data Breach: lessons for UK businesses

Major breaches of data protection laws continue to hit the headlines, but none have been quite so high profile as the large-scale breaches involving Facebook. As expected, the Information Commissioner is now investigating, so what does this mean for UK business organisations?
What happened?

Facebook’s data breach involved the harvesting, by Cambridge Analytica, of around 50 million Facebook users’ details for political clients. An important tool used was an online quiz from which user details, and those of their Facebook friends, were taken and shared. Facebook’s boss, Mark Zuckerberg, has apologised for the “breach of trust”, but this neither repairs the damage done nor resolves what is a colossal breach.  

To make matters worse, a former operations manager at Facebook reportedly warned senior executives some years ago that the company’s lax approach to data protection risked a major breach. He was correct.

The scandal touches a particular nerve for UK businesses with the GDPR just weeks from implementation.   

Users taking part in the quiz consented to their data being used. The problem was, the Facebook friends of those users had not consented to their own data (which was linked to the quiz users’ profile) being used.

What’s the ICO’s role?

The ICO has already searched Cambridge Analytica’s office and will now assess and consider the evidence before deciding what steps to take, and what conclusions to draw. The ICO says that the search was “one part of a larger investigation by the ICO into the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors”. We will be watching to see what action the Information Commissioner decides to take.

What does this mean?

The ICO has already shown its willingness to come down hard on businesses that are found to be responsible for major data breaches, frequently imposing severe financial penalties. Now, with the GDPR weeks away from coming into force, the sanctions for businesses breaching the new rules could face even greater fines of up to 4% of their turnover, or €20 million (whichever is higher).

If any businesses are still slow in their preparations for the GDPR, we strongly urge you to take action now to minimise the risk of data protection breaches that could attract robust investigations and sanctions by the ICO. It is clear that businesses must be alert to the risks of not ensuring the personal data they hold is properly held and used.

Apart from the financial risk of major data breaches, there is the likelihood of long-lasting reputational damage. Advertisers are already threatening to desert Facebook and place their advertising campaigns elsewhere. Its reputation may never fully recover. Do not jeopardise your reputation or your financial position.

How can we help?

If you have any concerns about your data protection policies and procedures, particularly in light of this major breach and the forthcoming GDPR, contact the experienced commercial and data protection solicitors at Herrington Carmichael for urgent specialist advice before taking any further steps.

This publication reflects the law at the date of publication and is written as a general guide only – it is not intended to contain definitive legal advice, which should be sought as appropriate in relation to a particular matter.