Facebook has been fined £500,000 by the U.K. Information Commissioner’s Office (ICO) over the Cambridge Analytica data scandal, the first fine of many that the social media giant will be faced with in the near future.
News broke earlier this year that the personal data belonging to 87 million users was improperly gathered and misused by political consultancy firm Cambridge Analytica, the firm that worked with the Donald Trump election team during the 2016 U.S. presidential election.
Cambridge Analytica whistleblower Christopher Wylie told the Observer back in April, “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”
The ICO’s investigation concluded that Facebook failed to prevent users’ data from falling into the hands of Cambridge Analytica and failed to be transparent about how the personal information of its users was being harvested by others, violating the UK’s Data Protection Act. In response to the data leak, Facebook has been fined by the ICO £500,000 ($664,000) – the maximum fine allowed by the UK’s Data Protection Act of 1998.
However, Facebook still has a chance to respond to the ICO's Notice of Intent before a final decision on the momentary fine is made. This is according to an ICO update claiming, “Their representations are due later this month, and we have taken no final view on the merits of the case at this time. We will consider carefully any representations Facebook may wish to make before finalising our views.”
The timing of this incident could not be better for Facebook. The ICO’s fine of £500,000 is imposed by the UK’s old data protection law, which was recently replaced by the EU’s General Data Protection Regulation (GDPR), which came into force on May 35, 2018. Had this security incident occurred after while the GDPR was imposed, Facebook could have faced a maximum fine of 20 million euros or 4% of its annual global revenue, whichever was higher.
GDPR focuses heavily on the processes and procedures for acquiring, utilizing and handling personal data that is ‘lawful and fair’, but the cybersecurity dimension is undeniably critical in order to prove that you have ensured ‘appropriate security and confidentiality of the personal data’. Under Article 32 of the General Data Protection Regulation, Security of Personal Data – Security of Processing, controllers, and processors must implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes
- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Complying with Article 32 requires both organizational and technical strategies. NNT can help your organization in several essential areas, including Change Management, privileged user monitoring, and automated log analysis.