Following the ICO’s lengthy and detailed investigation into the use of data analytics in political campaigns, it has been concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others. Those others include Cambridge Analytica of course. Evidence emerged in February this year that an app had been used to harvest the data of around 50 million data subjects (Facebook users) from across the world. The ICO have since estimated that this is more like 87 million.
Facebook has now been served notice of their fine of £500,000 for two breaches of the 1998 Data Protection Act. This is the largest fine to be handed out so far by the ICO; however, it is only because the contraventions happened before the GDPR came into force, that it wasn’t potentially hundreds of millions of pounds. An all together bitterer pill to swallow.
The commissioner has described the investigation as “the biggest and most important investigation the ICO has ever undertaken”.
Are data subjects more interested in what happens with their data?
Because of the enormous public profile of Facebook this story will reverberate across world and should continue to make data subjects more interested in what happens with their data. It should also make businesses take even greater notice of their responsibilities in handling people’s data.
There are an estimated 5.7 million businesses registered in the United Kingdom and around 500,000 of those are registered with the ICO, this is a massive discrepancy. Registration is just one of many responsibilities that a business needs to be aware of if it determines the purpose for which personal data is processed (controller).
If your business is doggy-paddling in this pool of discrepancy you can consider yourself vulnerable to any feeding frenzy brought about by the media attention that this Facebook story creates. What I mean by this is that consumers are growing more and more aware of their rights relating to data protection, which is of course a good and positive thing, and so, if they do feel aggrieved at a company regarding the use of their data and they know how to exercise their rights, they may just catch that company out.
Confirming whether or not you are processing a persons data
Imagine a member of your staff receives a request asking them to “confirm whether or not they are processing my data” and for whatever reason this request is missed. From this position of being in breach of the data regulations the subject reports you to the ICO. The ICO checks their records and see’s you are not registered with them. This is rightly an open door to further investigation which can be both costly and embarrassing.
Some might say that the ICO have been too busy of late with “the biggest and most important investigation the ICO has ever undertaken” to be concerned with the “small stuff” and this may be true on some level, however, and make no mistake, the ICO takes all enquiries seriously and whilst they have been undeniably busy, if you have done something wrong they will get around to you.
How can a business protect themselves?
Audit your practices and your policies, and make sure everyone in your business has the correct training to look after something that doesn’t belong to them. That thing being your customer, client and employee data.
Robert Brooks is the privacy officer at Stephens Scown. Robert advises clients on data protection and privacy. To discuss this article or another data protection issue you can get in touch either by telephone 01392 210700 or by email ip.it@stephens-scown.co.uk