Cyber Security Month week 4: Data privacy in the wake of Facebook’s fine

We’ve been blogging throughout October on cyber security in conjunction with European Cyber Security Month (ECSM), writing on the weekly themes to help you become savvier in the face of increasingly sophisticated cyber-attacks.

You can read the first three blogs in our series below:

The fourth and final full week in October focuses on emerging technologies and data privacy. The latter topic in particular couldn’t be more relevant, as today it was announced that Facebook has received the maximum possible penalty for the Cambridge Analytica data scandal – £500,000.

This fine is a drop in the ocean for the $13.2 billion-turnover company, but Facebook should consider itself lucky. The Information Commissioner’s Office (ICO), responsible for upholding multiple data protection laws, has stated that the company would have certainly faced a harsher financial penalty had the incident happened post-GDPR.

£500,000 seems paltry given that the ICO’s investigation found that Facebook had been unlawfully processing users’ personal information since 2007. Not only had Facebook shared users’ personal information with third-parties without consent, it had also been processing user data that it shouldn’t have had access to through the Cambridge Analytica app, ‘this is your digital life’. The innocent-looking app harvested the data of not only users who interacted with the app, but friends of those users, even if they didn’t have the app.

The ICO’s Information Commissioner, Elizabeth Dunham, said of the fine: ““We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. 

“One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”

It’s clear that the ICO considers this a very serious breach and it’s widely understood that, had GDPR been applicable to this breach, the enforcer would have likely imposed the maximum fine of 4% of global annual turnover.

This incident should send a stark warning to businesses about the way they process personal data and handle user consent. For consumers, it’s important that businesses are transparent about the way that they process their data.

To ensure the privacy of your own data, it’s important to check how a business will process it. The GDPR requires websites to include a disclaimer on how your data will be processed. Most will include more detailed information and should give you the option to easily opt out of non-essential processing. For the services you already use, you can find out how your data is processed by checking their GDPR policies or submitting a subject access request.

Interested in finding out more?

We’ve written a lot on the topic of GDPR and shared a number of useful resources in our one-stop GDPR section – take a look now.