If any data controllers or companies not yet convinced of the value of GDPR training offering great return on investment, they could do a lot worse than to take a look at the cautionary tale afforded by Facebook.
In early July 2018, the US social media behemoth was fined £500,000 for its part in the Cambridge Analytica scandal. In short, Facebook hosted a third-party app in 2014 and 2015 that was used to harvest personal data, ultimately used by Cambridge Analytica to assess people’s political preferences and likely voting intentions.
Cambridge Analytica are then alleged to have sold that data to the Trump presidential campaign of 2016 and to pro-Brexit groups in the UK referendum on withdrawal from the EU in May of the same year.
The Information Commissioner’s Office (ICO) concluded that Facebook had failed to safeguard its users’ personal data as required under previous data protection legislation. It imposed a fine of £500,000.
“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act,” said Elizabeth Denham, the Information Commissioner. “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”
Crucially, Facebook arguably got off lightly. Because of the timing of the breaches, Denham was unable to impose the new fines available to her under the EU GDPR and the UK’s Data Protection Act, 2018. In fact, in the first quarter of this year, Facebook took £500,000 in revenue every five-and-a-half minutes so this fine, though hefty, is hardly a deterrent.
Under the new provisions, the ICO could have charged either €20m (£17m) or 4% of global turnover – in Facebook’s case, its annual global turnover last year was over $40bn, meaning a potential fine of $1.6bn (£1.2bn). These are serious sums, and Denham’s determination to “effect change” means that companies need to take the range of sanctions open to her and her office very seriously indeed.
And that is not the end of Facebook’s problems – this is simply the fine by the ICO and Facebook should ready itself for individual claims against it. Leading data protection lawyer Sean Humber of Leigh Day predicts that Facebook could be hit with up to one million legal claims stemming from this ruling, meaning a compensation bill that will likely run into “hundreds of millions”. He urged the social media giant to put aside a considerable war chest for paying out these claims.
So if there is anyone in your organisation querying the necessity or value of GDPR training, tell them to check out Facebook. And we don’t mean for those viral videos of cats doing the funniest things.