Decision by Data Protection Commission against Twitter is a sobering reminder for Irish businesses

A decision by the Data Protect Commission against Twitter yesterday sends a serious message to all businesses and data controllers to have systems in place to ensure compliance with GDPR, a Fine Gael Senator has said.

Senator Mary Seery-Kearney was speaking after the DPC, as the Irish Supervisory Authority or privacy watchdog, imposed a fine of €450,000 on Twitter for a breach of Article 33(1) and 33(5) #GDPR.  

Senator Seery-Kearney said, “The breach centres on a bug that publicly exposed the tweets of private restricted accounts on android devices. The fine however is not for the breach itself, but instead for the failure to report it in accordance with GDPR obligations that require a reporting of a breach to the DPC within 72 hours of its detection. The second element was for the failure to adequately document the breach. 

“The timeline for the breach is that the bug was detected on 26 Dec 2018, its seriousness wasn’t appreciated until 3rd January 2019 due to what the company cites as Christmas holiday staffing levels. The breach was eventually reported to the DPC 8th January 2018, outside the mandatory 72 hour notice period. The administrative fine is for a failure to adequately document the breach and a failure to report it within the requisite time frame.  

“I think all businesses need to give urgent and serious consideration to their systems of reporting breaches to the DPC. Invariably, in my experience as a Data Protection Officer for several organisations, breaches occur on a Thursday evening and by the time internal investigations can occur and the matter is dealt with it can be up to a week later before the report is made.

“I have always encouraged companies to make a precautionary notification to the DPC once a breach is suspected, it can be withdrawn later if found to be over zealous, but it is much better to be wrong about the breach, than to fail to notify it within the legal timeframe. 

“Businesses who fail to prepare for a breach may find their failure to be very costly. This is especially important while employees are working from home.

“The decision by the DPC also illustrates that how a breach is handled is just as important as the fact that it occurred, so being prepared for the breach, even during holidays with depleted staffing numbers, and the administration of that breach process is vital for all businesses,” Senator Seery-Kearney concluded.