Skip to main content

From Facebook to Under Armour, Data Security Breaches Put GDPR in the Spotlight

The Facebook/Cambridge Analytica scandal has prompted heightened concerns over data protection and privacy, with high-profile breaches at Under Armour and Hudson’s Bay Company-owned Saks Fifth Avenue and Lord & Taylor following quickly on its heels.

The timing is uncanny in light of the looming May 25 deadline when the European Union General Data Protection Regulation (GDPR)—billed as the most far-reaching data privacy changes in two decades—takes effect, upending how companies collect and use consumer information, especially data gathered by third parties. Though GDPR is being enacted in the European Union, it affects any company that has customers in EU countries.

“The fact that the first scalp happened well before May 25 is making every CMO and CFO sit up and listen,” Mike Hemmings, EMEA marketing director at ad targeting software firm Grapeshot, said, referencing the Facebook data scandal.

Greg Sparrow, senior vice president and general manager for information security firm CompliancePoint, likened how Europeans feel about data privacy to how many Americans see the Second Amendment and their “inalienable” right to bear arms.

“That’s the same view Europeans have around privacy. It’s very much a part of their culture,” Sparrow said. “For U.S-based organizations, it’s shocking how many large companies have yet to begin this [GDPR compliance] process in earnest. They’ve had their heads in the sand for a long time, with a lot of discussion about applicability and enforcement.”

GDPR was approved and adopted by the EU Parliament in April 2016, with a two-year transition period giving businesses time to adjust to the new regulations. Businesses that violate GDPR will be fined 2 percent or 4 percent (or 10 million euro or 20 million euro, respectively, whichever is greater) of their global revenue, depending on the severity of the breach and other factors.

Related Stories

Of greatest concern for companies are two out of GDPR’s six key rules: consent and legitimate interest.

Under the revitalized definition of consent, businesses will have to explicitly ask customers—even existing ones—to opt into communications. Expect to see the biggest players such as Google, LinkedIn and others emailing users in the coming months asking for consent, Hemmings said. Ignoring those emails does not imply consent.

Sparrow said he’s encouraging clients to look at consent as the preferred course of action over legitimate interest. “We’re moving away from a world that is ‘opt out’ by default, and towards an ‘opt in’ scenario,” he said.

What’s more, legitimate interest can be seen as sort of a “grey area” in how it’s defined or interpreted, Sparrow noted. “It’s hard to argue that Facebook had legitimate interest in the data they were collecting, just sucking up all that data that’s available,” he added.

According to Hemmings, legitimate interest implies mutual consent and interest between business and consumer. A person who purchased a skydiving package, for example, could then receive a GDPR-compliant offer within the next year for a similar deal. But if the offer lies outside of the business’s core mission, that’s not legitimate interest, Hemmings explained.

GDPR also dictates the length of time businesses can hold onto data and leverage it for marketing purposes. “There’s a period of time that’s acceptable for re-contact,” Hemmings said. “If after 12 months we re-contact you, that’s not legitimate if you haven’t purchased recently.”

Discussing the Under Armour/MyFitnessPal data breach, with which he is not involved, Hemmings said if the incident involved any EU resident data or if the affected data was being processed, stored or managed in the EU, under GDPR the company would need to report the breach to the Information Commissioner’s Office (ICO), which enforces GDPR in the U.K., or its equivalent in the rest of the European Union.

“Being Under Armour, it likely would be large scale and include an amount of personal data that could impact the customer base. They would need to report it within 72 hours and also report to the data subjects it effects,” Hemmings explained. “They would propose a plan to manage the breach to the ICO, and the ICO—or a similar supervising authority—would then likely audit the systems and processes. They may—we still don’t know as it’s brand new—still receive a fine, but significantly less than if they hadn’t proactively reported.

“The fine would at maximum be 4 percent of global turnover or 20 million euro—whichever is largest—if the most severe type of breach occurred. In all likelihood it would be less as it may not include highly personal or sensitive data,” Hemmings added.

However, in the case of the Saks and Lord & Taylor point-of-sale data breach, there likely were “aggravating factors” at play, that is, numerous factors—not just a single one—that led to the breach, which under GDPR would potentially mean either multiple fines for the multiple factors, or one lump sum, Hemmings said. However, Sparrow said the Saks breach points to a lapse in data processing security, which falls under Article 32 within the GDPR. “Failure to provide appropriate security controls in this context would fall into the lower level infringement,” Sparrow said.

GDPR is triggering a data protection movement worldwide, as even second-world countries are enacting strong privacy regulations and Canada is in the midst of drafting policy that mirrors GDPR, Sparrow said.

“There was a rush in information technology to collect data, and now there’s a swing back toward consumerism and consumer rights as a fundamental shift,” Sparrow noted, adding his belief that GDPR-type regulations eventually will be enacted in the U.S. at the state level before it’s federal policy.

Under GDPR, both data controllers (i.e., the primary business or “data holder”) and data processors—third parties that process data on behalf of the controller—will be liable for non-compliance. This means businesses should be auditing their partners to determine which ones most expose them to liability and risk, Hemmings said.

“GDPR affects all parts of the business when you look at where data lives,” Sparrow said. As such, many different areas of the enterprise, from human resources and legal to IT and the contracts department, will need appropriate training, funding and staffing to become—and remain—compliant under GDPR, he said, in order to ensure good information security practices. The largest companies will need to hire a data protection officer (DPO) or chief data officer to oversee all data activities. A DPO is a government-stipulated and protected role that is required where the risk of a data privacy breach comes with significant potential impacts to the consumer.

“So on this, an apparel business would not typically fall under any of these criteria,” Hemmings explained. “Their core activities are not to process special category data and they do not do it at the kind of scale that the Working Party 29 references.

“However, this is not the point: with or without the official role of DPO, the functions of this role that align with GDPR compliance still need to be adhered to,” Hemmings added. “An apparel business would need to still apply basic data security and storage rules to comply with the GDPR and despite not having a DPO, they would still be subject to the same fines and reputational damage as a business that by law is required to have one.”


Data regulatory agencies in the Europe Union likely will focus first on the “biggest players” that pose the greatest “systemic” risk. “They’re going to go after brands with a lot of equity that regulators can hang their hat on and say ‘we got Google’ or ‘we got Facebook’ or whoever it might be,” Sparrow explained. “And I think they will work their way down from there. But I think those are some of the first enforcement actions that we’ll see.”

Companies should take a risk-based approach to coming into compliance and do what’s reasonable given the state of the industry, the size of the organization, and the means available, Sparrow said. Regulatory authorities likely won’t go for the jugular immediately if they see that a company is at least trying to get its data in order.

“They want to see what they consider to be due diligence or due care—that you’re not getting started on this because you heard that they were walking in the door,” Sparrow said. “They want to see that you’re showing some type of responsible behavior before they came knocking on the door. You at least have some defensibility. You’re making an attempt. It may not be what they’re looking for but at least you’ve got a starting point to work from.”

Hemmings said that in the UK, the ICO is already leveraging the Facebook/Cambridge Analytica scandal to demonstrate its seriousness about GDPR enforcement. Just look at the imagery surrounding the scandal fallout, depicting ICO officers in their high-visibility jackets entering Cambridge Analytica offices, he said. “They’re going to use Facebook/Cambridge Analytica to show that they do have teeth,” Hemmings explained. “The more breaches they could expose, the more money comes into the coffers of the country where the breach has occurred. The more money that comes into the coffers of the British government, for example, then the more funding the ICO’s going to get.

“Their teeth are only going to get bigger,” Hemmings added.