Facebook has, in respect of its data breach earlier this year, been fined the maximum £500,000 allowed under the DPA (Data Protection Act) 1998. It’s lucky the breach was discovered before 25 May 2018; if the fine had been levied under the EU GDPR (General Data Protection Regulation), it could have been 4% of Facebook’s 2017 global turnover of $27.64 billion, blowing a $960 million hold in the social media giant’s bottom line.
While the fine itself is not particularly notable – it’s not the first time the maximum fine has been imposed under the DPA 1998, and Facebook can easily afford it – what should be noted is that the ICO (Information Commissioner’s Office) said “one of main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data”.
Remember the GDPR requirement that fines are intended to be proportionate, effective and dissuasive? The key message from the ICO is that initial fines may well be more painful for transgressors than we are expecting, given the legal requirement that those fines should dissuade organisations from poor practices, the ICO’s determination to drive improvements in data handling and the pan-EU approach to ensuring that data is genuinely protected.
If you’re not already GDPR compliant with an effective privacy compliance framework in place, now is the time to accelerate your project! Don’t become a statistic.