Last week, Facebook began investigating claims that Cambridge Analytica used data harvested from millions of Facebook profiles to target voters in the US general election in 2016.
In what appeared to be a damage limitation exercise, the social network has banned the political strategy company from its platform whilst the investigation is ongoing.
However, this scandal raises the question as to how adequate Facebook’s data security systems are, given that Cambridge Analytica were able to access and use Facebook user’s personal details.
Following this data breach, Facebook’s 2.2bn active users might now be wondering, how safe is their personal data? And is Facebook doing enough to secure it?
Furthermore, Facebook only reacted on Friday, when it must have known there was a potential problem many months, if not years, ago.
In August 2016, the Social Media giant sent a legal letter to Christopher Wylie, a former Cambridge Analytica employee, asking him to destroy any data he held that had been improperly collected.
Facebook did not publicly disclose this at the time, and they appear to have carried out no further enforcement other than requiring those who wrongly held the data to “self-certify” that they had indeed destroyed it.
More troubling still is the apparent lack of any systematic response to ensure the same type of breach does not happen again.
General Data Protection Regulation 2016 (GDPR)
Under this new Regulation which comes into force on 25th May 2018, an Organisation should ensure they have robust breach detection, investigation and internal reporting procedures in place.
The GDPR introduces a duty on all Organisations to report certain types of personal data breach to the relevant Supervisory Authority, in the UK this is the Information Commissioner’s Office (ICO). This must be done within 72 hours of becoming aware of the breach, where feasible.
The above incident also breaches the principles of the GDPR, especially the principle that personal data must be;
“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Infringement of the requirements of the GDPR can attract fines of up to 4% of total global annual turnover or €20M (whichever is the higher).
Should your Organisation require assistance with meeting the requirements of this upcoming Regulation, please do not hesitate to contact Andrew Swan – Head of Regulation at Short, Richardson & Forth at firstname.lastname@example.org or Sheila Ramshaw – Specialist in Regulation at email@example.com or on 0191 232 0283.