As Facebook is made an example, what can be expected for smaller companies allowing data breaches post-GDPR

The UK’s data watchdog has issued the maximum possible fine against Facebook in the wake of the Cambridge Analytica scandal, whereby the political consulting firm gained access to millions of users’ personal data without their consent.

The ICO’s decision to levy the maximum fine of £500,000 reflects the statement it made in July, when findings from their investigation revealed that the tech giant had failed to protect the personal information of its users by letting third-party developers use the platform without appropriate checks.

While the scandal is unlikely to have a noticeable impact on Facebook’s user count, the negative press surrounding the platform’s approach to data protection has certainly made the public think twice about who they trust with their personal information. For CEO Mark Zuckerberg, a drop of 15 billion in his net worth from sliding stock prices is the deepest cut from the breach. For an SME, failure to comply with new regulations could have a number of disastrous outcomes:

Financial damage

While £500,000 may be pocket change for Facebook, who raked in $40.7bn (£31.5bn) in global revenue in 2017, a fine of this amount can threaten the lifeblood of a small firm. What’s more, had the figure been calculated with the EU’s new GDPR regulations in mind as opposed to the outdated Data Protection Act 1998, Facebook would have faced a whopping fine of £17 million ($22 million) – 4 percent of Facebook’s global turnover.

As well as a PR nightmare, the fines resulting from a data breach could leave firms with less than 50 employees in a crisis: redundancies would likely be unavoidable if the business wasn’t forced to close entirely. Naturally, 4 percent of turnover is enough to cause significant damage to any business, but even those who are left standing face further financial damage as the impact of the data breach ripples through their client-base and pipeline.

For example, with a tarnished reputation, your marketing efforts will likely return much less positive results than they would have prior to the breach. In short, it isn’t just the ICO fine that poses a threat.

The indirect cost from customer loss

Even if a fine from the ICO is not enough to bankrupt your business, high customer churn could quickly see your finances depleted as clients rush to competitors who boast a clean sheet in terms of data protection.

For firms in the legal and financial space, rebuilding trust with these customers won’t be easy: after all, having had their highly sensitive information compromised due to ineffective cyber-security practices, taking their business elsewhere is the logical choice. As a small firm relying on the reputation of your service and the income generated from a modest client-base, even the slightest data breach could be cataclysmic.

A hit to your reputation

Article 33 of the General Data Protection Regulation states that businesses who have suffered a data breach must investigate the cause and report their findings to the ICO within a 72-hour time limit. It goes without saying, of course, that the individuals whose data has been compromised must also be made aware immediately.

Once your clients are notified of a data breach, damage control is key to keeping a blow to your reputation from tanking your finances further. Of course, a reactive approach will never measure up to a proactive one when it comes to data protection and cyber-security. Rebuilding relationships will prove challenging after an incident of this nature – after all, it’s hard to trust a company who has failed to make the effort to protect your data from falling into the hands of criminals.

Goodwill gestures can only go so far, and trust cannot be bought. If your firm has failed to take the necessary measures to keep their data safe, the only thing you can do is try to be as transparent as possible (Mark Zuckerberg – take note) in regard to the incident in attempt to mitigate the risk of suffering further financial loss.