Member Article

Facebook facing scrutiny by European regulators should act as a reminder to all about the importance of GDPR

AJ Thompson, CCO at Northdoor plc

GDPR is once again headline news with Facebook facing the wrath of European regulators over a data breach that saw the details of 533 million users, including 11 million in the UK, leaked online for free in 2019.

When GDPR was introduced in May 2018, it came with a huge fanfare and media coverage not usually associated with new regulations. Alongside companies scrambling to sort out their data and ensuring it was secure, levels of public understanding about the sensitive nature and value of the data companies held increased dramatically.

However, fast forward three years and a great deal has changed. The pandemic has understandably certainly taken some of the spotlight and headlines away from GDPR. So, the news that the Irish Data Protection Commission (DPC), Facebook’s lead regulator in the EU, is looking into the huge data breach that took place in 2019 for a possible breach of GDPR data laws will come a stark reminder to some of the importance of ensuring they are GDPR compliant.

Facebook potentially falling foul of GDPR rules

Facebook was heavily criticised in 2019 for not notifying users whose details had been leaked. 533 million accounts in 106 countries were harvested through a security loop in September 2019. Details included full names, phone numbers, dates of birth and other sensitive data including details of the then US transport secretary Pete Buttigieg and Facebook’s own CEO, Mark Zuckerberg. No passwords or more personal information was included, but the details that were gathered could still have been useful for scams or future hacking attempts.

At the time Facebook refused to apologise for the incident and significantly the DPC said it had received no communication from Facebook about the incident. Under GDPR rules companies have 72 hours from the time they first become aware a breach has occurred to report it to the appropriate authority, the fact that the DPC had no proactive communication from Facebook could point to a potentially big problem for the social media giant. The potential fine could be up to four percent of its $86 billion revenue.

GDPR has not gone away and nor have the threats from cyber-criminals So, whilst Facebook is examined by the Irish authorities for a possible breach of GDPR rules, it might have come at a good time for other companies. It acts, if nothing else as a useful reminder that GDPR has not gone away and that authorities are still looking closely into breaches. Unlike some other regulations, fines and warnings were being handed out by authorities as soon as the regulation had been introduced.

This trend has not actually stopped or slowed during the last year. According to research from global law firm DLA Piper between January 2020 and January 2021 GDPR fines actually rose nearly 40 percent, with penalties totalling $191.5 million. With the pandemic and its consequences understandably dominating the news, the GDPR fines and the fact that they are rising has not been as high profile as it might have been. It does highlight though that companies have to continuously check they are adhering to the rules. The danger of regulation is that companies see it as a tick box exercise and once adhered to, regulations are almost forgotten. This is course is a dangerous route to take as we see the threat from cyber-criminals continually increasing in levels of sophistication. This means that the actions put in place to secure adherence may no longer be effective.

Embedding compliance as seamless function within your business

The key to GDPR adherence and remaining compliant is to industrialise the process. By embedding compliance as a seamless function within your business much of the pain of complying with GDPR is taken away. As part of the industrialisation process there are a number of actions businesses should consider taking.

The first action that any company should undertake is an audit. Whether companies are already compliant or are trying to build towards adherence, auditing where data lies and whether existing GDPR programmes are fit for purpose is a crucial first step. The next step is to see where possible vulnerabilities lie. This starts in your own systems, but as we have seen from some of the highest profile hacks over the last few months, securing your own internal systems is no longer enough to keep criminals out.

With companies working with multiple partners the risk is suddenly increased. Many of partners have the potential to act as a back-door for criminals looking to gain access to key data. A company’s security could be strong but if a partner leaves the ‘backdoor open’ it negates any investment made in protecting data. It is therefore, critical for companies to gain an insight into the security and potential vulnerabilities of partner’s systems. Many are turning to automated and machine-learning tools that determine exposure across multiple degrees of relationships. This enables compliance monitoring to provide an executive view of cyber risk in real time, whilst helping to ensure GDPR adherence.

Much of process around GDPR is reacting in a timely manner, whether this is to let authorities know of a breach or reacting to requests from individuals wanting to see what of their data is being held. Subject Access Requests (SARs) have the potential to be a real headache for companies. Gathering the data from potentially multiple sources and getting it back in a timely manner is time consuming and on the face of it, not business critical. By automating the process companies are able to both increase accuracy and speed of responding to such requests ensuring that they remain compliant to regulation.

Likewise, reporting breaches in a timely manner is crucial. As we have seen from the Facebook case, unless breaches are reported within 72 hours, regulators will prosecute. If organisations are dependent on nominated personnel to execute manual processes around breach reporting, there is a strong risk that they will be unable to meet the statutory obligations in the event of a major incident. Therefore, industrialising this process with automated solutions that guide employees through the reporting process whilst providing tools to help investigate incidents and prevent reoccurrence can have a huge impact on a company’s ability to adhere to GDPR.

By embedding such elements into your business much of the painstaking work that can often be associated with GDPR adherence is taken away. Cyber criminals trying to gain access to sensitive or valuable data is only likely to increase and their methods will become more sophisticated. Add to this the fact that many organisations are still coming to terms with the fact that they are operating in new work environments, means that there is likely to be a raft of data breaches over the coming months.

GDPR adherence is not a tick-box exercise and the Facebook incident should remind us all that the consequences of poor security or not reacting appropriately to a breach have the potential to do great damage financially and reputationally, something which for some victims has been impossible to overcome.

This was posted in Bdaily's Members' News section by Anna Boyce .