Social media giants fined and investigated for GDPR breaches – don’t get caught out by GDPR

11 October 2021 / Insight posted in Articles

If you are a UK business owner or manager, you will be well acquainted with GDPR, whether for positive or negative reasons. You are probably acutely aware of the many ways in which GDPR can be breached and the potential fines for doing so.

Further, the increasing tendency post-Coronavirus for employees to work remotely abroad for UK businesses and use online storage services means that data can often be transferred to other EU countries or even outside the EU, heightening the risk of data breaches under both UK and EU GDPR.

Despite the UK’s withdrawal from the EU, compliance with the GDPR is still very much a legal requirement. The EU’s GDPR was implemented in the UK by the Data Protection Act 2018, so UK GDPR remains in place with all the same provisions and sanctions as previously.  If you do business in the EU or transfer data between the UK and the EU/EEA, you still have to comply with the EU’s GDPR.

A couple of recent cases have brought GDPR back into the spotlight.

BBC News reports that Ireland’s data regulator fined WhatsApp €225 million for breaching data protection rules by not being transparent enough about its processing of personal data, and is also investigating whether TikTok’s processing of children’s data breached the GDPR. Both WhatsApp and TikTok deny any wrongdoing regarding GDPR, and WhatsApp plans to appeal the regulator’s decision.

WhatsApp and TikTok are social media giants.  It is difficult to say whether the problems were unique to those two businesses or whether there is a general industry issue that could lead to media businesses and agencies being scrutinised from a GDPR perspective.

Although the decision was made by the Irish regulator, it is still relevant for any breaches of the EU’s GDPR. It is, therefore, likely to be used as guidance by the UK’s Information Commissioner’s Office when dealing with UK GDPR breaches.

As a business owner or manager in this industry, you must be particularly on your guard. Check that your business’ GDPR house is in order. In particular, ensure your business’s privacy notices are clear and transparent about all the key matters. These include what data is being collected, the lawful reason for collecting it, who it will be given to and why, and what the data subjects’ rights are.

Your business should also ensure that all staff who handle personal data are trained specifically to understand:

  • Your business’s privacy notices, policies, contractual documentation and handbooks.
  • Their obligations when handling personal data, especially what they can collect and why, when further privacy notices or consents might be necessary, when data should be deleted or anonymised and how to comply with data subject access requests.
  • The potential consequences of breach for your business.
  • What they should do and who they should speak to if they commit or discover a GDPR breach.
  • Who they can go to with any GDPR-related queries.

Additionally, your business should have HR processes in place to address any breaches, whether malicious or careless, as they can have serious consequences for your business. Disciplinary action may be necessary or perhaps even dismissal in the most serious or persistent cases.

In our experience, most GDPR breaches tend to happen because of mistakes, lack of understanding or misapplication of the rules rather than through malice. You should have processes to help prevent specific risks, for example:

  • An email or attachment sent to the wrong person.
  • Forwarding a chain of emails including personal data.
  • Message left on a wrong answerphone or voicemail.
  • Missing some personal data or third-party data when redacting a document.
  • Documents left on a desk, photocopier or public transport.

Remember that GDPR is not only about customer data.  It covers the personal data of employees, workers and contractors, as well as GDPR data subject access requests. Complaints to the Information Commissioner’s Office (which result in a business being fined) are becoming increasingly popular among individuals who are in dispute with their employers.

In addition to commercial privacy notices, your business should have staff-specific policies, privacy notices and contractual provisions. This is so that individuals understand what personal data is collected, why, who it is distributed to, how it is used and the data subject’s rights regarding their personal data.  Ensure that data is correct and not kept longer than necessary for the purpose it is being collected for.

Investigations can be stressful, time-consuming and expensive, so get your HR aspects of GDPR watertight. Your bare minimum should be privacy notices, policies, processes and contract terms. Then you should follow the steps laid out above.

If you would like to speak to a member of the team to discuss how we can support your business to achieve GDPR-compliance, please contact us:

MKSHRC@mks.co.uk | +44 (0)20 7566 4000