Facebook has been fined £500,000 by the U.K. Information Commissioner’s Office (ICO) over the Cambridge Analytica data scandal, the first fine of many that the social media giant will be faced with in the near future.

News broke earlier this year that the personal data belonging to 87 million users was improperly gathered and misused by political consultancy firm Cambridge Analytica, the firm that worked with the Donald Trump election team during the 2016 U.S. presidential election.

Cambridge Analytica whistleblower Christopher Wylie told the Observer back in April, “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”

The ICO’s investigation concluded that Facebook failed to prevent users’ data from falling into the hands of Cambridge Analytica and failed to be transparent about how the personal information of its users was being harvested by others, violating the UK’s Data Protection Act. In response to the data leak, Facebook has been fined by the ICO £500,000 ($664,000) – the maximum fine allowed by the UK’s Data Protection Act of 1998.

However, Facebook still has a chance to respond to the ICO's Notice of Intent before a final decision on the momentary fine is made. This is according to an ICO update claiming, “Their representations are due later this month, and we have taken no final view on the merits of the case at this time. We will consider carefully any representations Facebook may wish to make before finalising our views.”

The timing of this incident could not be better for Facebook. The ICO’s fine of £500,000 is imposed by the UK’s old data protection law, which was recently replaced by the EU’s General Data Protection Regulation (GDPR), which came into force on May 35, 2018.  Had this security incident occurred after while the GDPR was imposed, Facebook could have faced a maximum fine of 20 million euros or 4% of its annual global revenue, whichever was higher.

GDPR focuses heavily on the processes and procedures for acquiring, utilizing and handling personal data that is ‘lawful and fair’, but the cybersecurity dimension is undeniably critical in order to prove that you have ensured ‘appropriate security and confidentiality of the personal data’. Under Article 32 of the General Data Protection Regulation, Security of Personal Data – Security of Processing, controllers, and processors must implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes

  • The pseudonymization and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Complying with Article 32 requires both organizational and technical strategies. NNT can help your organization in several essential areas, including Change Management, privileged user monitoring, and automated log analysis.

NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2018, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.