In an era where data is considered one of the most valuable assets, protecting it has never been more critical for businesses. The recent €251 million fine imposed on Meta Platforms Ireland Limited by Ireland’s Data Protection Commission (DPC) underscores the importance of adhering to the General Data Protection Regulation (GDPR). This fine, stemming from a 2018 data breach, serves as a stark reminder of the high stakes involved in safeguarding personal information. For businesses of all sizes, the Meta case highlights both the potential consequences of non-compliance and the importance of robust data protection practices.
The Meta breach: a costly oversight
The breach in question, which impacted 29 million Facebook accounts worldwide, including 3 million in the European Union (EU) and European Economic Area (EEA), involved highly sensitive personal data. Among the compromised details were users’ full names, email addresses, phone numbers, locations, and other key personal information which could prove very useful to those with nefarious intent. The vulnerability stemmed from Facebook’s “View As” feature, which cybercriminals exploited to gain access to user tokens. This allowed attackers to view multiple user profiles with full permissions – giving hackers full access to data which could be useful for phishing attacks or other cybercrime.
The DPC’s investigation revealed several violations of GDPR, including:
- Failure to provide a comprehensive breach notification.
- Failure to implement appropriate security measures to protect data.
- Breach of data integrity and confidentiality.
- Lack of documentation of personal data breaches as they occurred.
- Repeat offences – this was not Meta’s first experience of being fined for data protection violations – they received a €17 million in March 2022, and a €1.2 billion fine for the same offence in May 2023.
Overall, the total cost of this breach was €215 million, and this was divided into €130 million for design-related data protection violations, €110 million for processing unnecessary personal data, €8 million for incomplete breach notifications and €3 million for inadequate documentation.
While Meta addressed the vulnerability promptly, this enforcement action underscores a critical lesson: reactive measures cannot replace proactive compliance. Businesses must embed data protection principles throughout their operations, from system design to breach response protocols.
A history of GDPR breaches
It may come as no surprise that Meta is far from the only household name to be less than transparent and secure when it comes to data collection – major brands such as Amazon, British Airways, EA, and TfL have all previously received penalties for issues related to personal data – some of the cases which made headlines include:
- Amazon: €746 million (2021)
Amazon made history for all the wrong reasons in 2021, when the Luxembourg National Commission for Data Protection fined the company a record €746 million for processing personal data in violation of GDPR. The decision highlighted the need for transparency in how businesses collect and use personal data, particularly when it comes to targeted advertising. - WhatsApp: €225 million (2021)
The second largest fine to be levied by the DPC went to WhatsApp in 2021, addressing failures in providing sufficient transparency regarding how user data is shared with Facebook and other third parties – the DPC determined that greater transparency was required to ensure security of data. - British Airways: £20 million (2020)
In 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways £20 million following a cyberattack in 2018 that compromised the personal and payment information of over 400,000 customers. The investigation revealed inadequate security measures to protect customer data. - H&M: €35.3 million (2020)
2020 also saw H&M fined €35.3 million after it was revealed that they had been unlawfully monitoring employees’ personal lives, including sensitive details such as family issues and religious beliefs. This case serves as a reminder that GDPR applies not only to customer data but also to employee information.
Lessons for businesses
So, what does this mean for you? The Meta breach and other high-profile cases illustrate the potential consequences of failing to comply with GDPR – but also provide insights into how to stay safe. For businesses, these cases highlight key areas to focus on:
Collect only necessary data to begin with
GDPR requires organisations to build data protection into their processes from the start. This means collecting only necessary data, enforcing strong access controls, and conducting regular system audits. Cases such as H&M demonstrate that the collection of excessive data, without good reason, can lead to high fines and penalties.
Embed comprehensive breach notification protocol
A key element of the Meta case was a failure to notify authorities of the breach in good time. GDPR mandates that data breaches be reported to the relevant supervisory authority within 72 hours of discovery. Organisations must have clear protocols in place to identify, document, and report breaches promptly and comprehensively.
Maintain transparency and communication
Clear and transparent communication with customers and regulators is essential for maintaining trust. Businesses must explain how they collect, use, and protect data, and inform affected parties promptly in the event of a breach.
Invest in regular training and awareness
Employees are often the first line of defence against cyber threats. Regular training on data protection practices, phishing awareness, and GDPR requirements can significantly reduce the risk of human error leading to a breach.
Engage with regulators
Demonstrating a proactive approach to compliance and cooperating fully with supervisory authorities can help mitigate the consequences of a breach if something does happen.
The broader impact of GDPR breaches
The financial penalties associated with GDPR violations are only part of the equation. Businesses also face reputational damage, loss of customer trust, and operational disruptions in the wake of a data breach. For example, British Airways is thought to have experienced significant public backlash following its 2018 breach, leading to a decline in customer confidence, while H&M’s fine not only highlighted internal compliance failings but also exposed the company to reputational harm among its employees and the public.
For small and medium-sized businesses, the risks are particularly acute. While larger corporations like Meta and Amazon may have the resources to absorb hefty fines, smaller businesses often face existential threats from similar breaches and financial penalties – and loss of trust from their customers can mean the end of their business.
Final Thoughts
The €251 million fine imposed on Meta serves as a powerful reminder of the importance of GDPR compliance. Data protection is no longer optional—it’s a fundamental responsibility for all businesses. By embedding data protection principles into their operations, providing transparency to customers, and maintaining strong security measures, organisations can not only avoid regulatory penalties but also build trust and resilience in an increasingly complex digital landscape.
For businesses that are yet to prioritise GDPR compliance, the time to act is now. Proactive efforts today can prevent costly consequences tomorrow and safeguard the long-term success of your organisation – so get in touch, and see how Bob’s Business can help you secure long-term security with robust, engaging and educational training which will equip your team with the tools they need to fight cybercrime – and keep breaches at bay for good.