Business Law & Compliance

Facebook, data breaches and the real risk under GDPR

4 min read

23 March 2018

With the introduction of GDPR two months away (25 May), the news this week regarding Cambridge Analytica and the Facebook data breach involving data of approximately 50m Facebook users, should be a lesson to every business of the real risks under GDPR.

Most of the talk about the changes under GDPR has related to the significant increase in fines, which are going up from the current maximum of £500,000 to €20m or four per cent of global turnover if higher. Given that Facebook’s annual revenue for the 12 months to 31 December 2017 was just shy of $40bn, the maximum fine that could be imposed could around $1.6bn or circa €1.3bn.

However, whilst the forthcoming increase in fines has grabbed most of the headlines surrounding GDPR, there has been a significant amount of scaremongering around these. According to the most recent annual report from the Information Commissioner’s Office (ICO), only 16 civil monetary penalties (i.e. fines) were issued during the year 2016/2017.

As such the ICO very much sees fines as an absolute last resort, or reserved for cases where there has been a large volume of data compromised (think TalkTalk).

Elizabeth Denham, the Information Commissioner, pointed out though that when being interviewed this week on Channel 4, Facebook, as a private sector organisation, has no obligation to report data breaches. This will change under GDPR come 25 May and for me this is the most significant change GDPR introduces.

The reason for this is that having to positively report a data breach puts you on the ICO’s radar. If any action is then taken by the ICO as a result of that data breach, you run the risk that you will be “named and shamed”. Additionally if the breach is one that constitutes a “high risk to the rights and freedoms of individuals” you may also have to inform those individuals directly – imagine a letter with your company’s letterhead arriving on an individual’s door mat telling them you compromised their data.

These in turn pose a significant risk to the reputation of your organisation, especially in the current age of digital media where news spreads far and wide almost instantly – before you know it a photograph of that letter will be on platforms such as Twitter, Instagram and (ironically) Facebook being shared, liked and retweeted endlessly.

If your organisation is then seen as one that can’t be trusted to keep data secure, you will lose existing customers, struggle to attract new customers and struggle with commercial relationships (where in Facebook’s case its model relies almost entirely on the income from advertisers).

What is the cost of this…

Let’s look at what happened to Facebook in the two days since the breach was announced. Firstly we have seen the social media campaign #deletefacebook gathering pace seeing numerous users delete their accounts – something significant for a business based on user numbers and the amount of time spent on the platform by users.

Secondly, and more importantly, the shareholders/investors have reacted and in the first two days since the Cambridge Analytica story broke, more than $50bn has been wiped of its share value – a fall of over nine per cent based on one news story, and a fall in value which is more than the entire value of the Ford motor company.

Whilst GDPR compliance has a financial implication in the shape of potential fines, don’t discount the reputational and consequential financial damage that can be caused by not being able to look after data.

Christian Mancier is a partner at Gorvins working in the commercial team