For some time now, protecting users’ data has been an obligation for companies all over the world. And not just a moral obligation, but a legal one too, since different regulations can impose all kinds of fines on any company that flouts these rules.
And some laws are harsher than others. There is one clear example of how these laws can work: public mistrust of Facebook came to the fore following the Cambridge Analytica scandal, a grave crisis that led to a £500,000 (around €560,000) fine in the United Kingdom. The Information Commissioner’s Office (ICO) in the UK has investigated around 30 companies in a similar situation to Facebook’s. According to their report, the social network founded by Mark Zuckerberg was not diligent in protecting its users’ data or privacy.
However, when all is said and done, how much can a £500,000 fine really hurt Facebook? In actual fact, not only is this sum barely a scratch on the surface of the company’s finances, it is probably something of a relief for Facebook, given that it was not fined after the General Data Protection Regulation (GDPR) came into force on May 25 of this year.
What would have happened with the GDPR?
If Facebook’s negligence had taken place with the GDPR in force, the consequences would have been markedly different. As well as the serious damage to the company’s reputation – something that did in fact happen – the economic sanctions would have been far more substantial.
In case of non-compliance with the GDPR, four levels of sanctions have been laid out: a warning, a reprimand, the suspension of data processing, and a fine. In the case of the fine, there are two different levels:
Level 1. A fine of €10 million or 2% of annual global turnover (whichever figure is higher).
Level 2. A fine of €20 million or 4% of annual global turnover (whichever figure is higher).
In this case, therefore, Facebook, which had earnings of €32.75 billion in 2017, could have had to face a fine of over €1.3 billion. While this sum still wouldn’t be enough to rattle the company financially, it would be far more detrimental.
Six months after the GDPR came into force, many companies are still struggling with it. And some are not going to have the same luck as Facebook, since their fines will now fall under the jurisdiction of the new regulation. This is what will happen with Exactis, which left a database containing 340 million records exposed, or Timehop, which exposed the personal data of 21 million users.
How to comply with the GDPR
Studying the intricacies of the new legislation shouldn’t be too much of a problem for companies like Facebook, given the teams and the resources available to them. There are, however, other companies that, whether because of their size, or because of the sector they work in, may have more trouble complying with the new rules.
So that the GDPR doesn’t become a headache, companies of all types and all sizes can follow these recommendations:
1.- Protect the company’s cybersecurity Cybersecurity has always been essential for companies, but now more so than ever. As well as being diligent in how they protect data and private information, they must also design action protocols for possible alerts. It’s also important to be cyber-resilient, keeping abreast of the latest strategies used in cyberattacks. If a company suffers a data breach, it must inform the data protection authorities within a maximum of 72 hours after it becomes aware of the breach.
2.- Technology solutions. No company can do all this work alone: some of the responsibilities must be delegated to an external tech solution. In this sense, Panda Data Control, the data protection module of Panda Adaptive Defense, categorizes and correlates all data about cyberthreats in order to carry out prevention, detection, response and remediation tasks, combined with reduction services. The solution monitors all of the company’s activity, detects possible risk situations and simplifies the management of this kind of task within the company.
3.- Protect users Cybersecurity isn’t just about conserving and protecting the company’s information: it is also about protecting the company’s employees, clients, providers, users, and so on. Companies need to protect the privacy of those with whom they have a relationship, as well as being transparent with them so that they know exactly what is being done with their data. To fulfill all of this, companies must also have a data protection delegate to oversee and lead this kind of task.