Skip to main content

Facebook Dodged $1.5 Billion GDPR Penalty, Should be Wake-Up Call for Compliance Laggards

The European Union’s­­ Global Data Protection Regulation (GDPR) sent businesses worldwide into a tizzy earlier this year as the race to achieve compliance ran right up until the May 25 enforcement deadline.

Days before the go-live date, an IBM study found that shockingly few enterprises would be fully compliant on time, though that fateful Friday came and went with a to-be-expected amount of drama.

So how are organizations faring in a post-GDPR world in which companies face harsh financial penalties for mishandling customer data and violating consumer privacy? For one, Facebook’s Cambridge Analytica fallout could be serving as a much-needed wakeup call.

While the social media firm’s scandal pushed GDPR into the fore ahead of the enforcement deadline, it’s the amount of the subsequent fine it must pay to the Information Commissioner’s Office, a U.K. data protection agency, that should prompt companies to make compliance a priority.

The BBC reported that Facebook will have to cough up 500,000 pounds ($660,000) to the ICO, a tiny sum in comparison to the 1.2 billion pounds ($1.5 billion) it would have owed if the violation had occurred after GDPR took effect. The previous regulation, the 1998 Data Protection act, set forth a maximum fine of 500,000 pounds, while GDPR stipulates that penalties should be 20 million euros ($23 million) or 4 percent of global revenue, whichever is greater.

A TrustArc survey conducted by Dimensional Research one month after the May 25 enforcement deadline revealed that compliance is a slow and costly processes for many organizations. Just 20 percent believe their company has achieved full compliance with the new regime, while roughly half (52 percent) are knee-deep in implementation. What’s troubling: more than a quarter (27 percent) have yet to begin the compliance process.

Related Stories

“While the amount of effort was immense for the deadline of May 25, there is substantive work yet to complete to achieve initial compliance as well as monitor and maintain compliance on a repeatable and efficient ongoing basis,” TrustArc CEO Chris Babel said.

Though the numbers don’t seem encouraging, a comparison of findings from August 2017 point to companies taking critical steps to move their data into compliance. In the U.S., the amount of businesses with compliance efforts completed or in progress, jumped from 38 percent to 66 percent, while 73 percent of U.K. companies said the same, up from 37 percent.

For many businesses, the cost of GDPR compliance hovers around the half-million mark. Twenty-seven percent of survey takers said they’d spent this amount to achieve compliance, while another 31 percent claim their compliance efforts will cost $500,000 between June and December of this year. Spending exceeded more than $1 million for 18 percent of businesses in the U.S., though just 8 percent apiece of U.K. and EU firms disbursed that amount, TrustArc said.

Despite the specter of crippling fines, more businesses said compliance was more about living up to customer expectations (57 percent) than fear of financial penalties (39 percent), and many cite GDPR’s sheer complexity as the biggest obstacle to achieving compliance. Still, companies were more likely to see GDPR as good for their business (65 percent) rather than bad (15 percent).