What we need to learn from Twitter’s £400,000 fine

The Irish Data Protection Commission (the Irish equivalent of our own ICO) has fined Twitter £400,000 over how it handled a data breach in January 2019.

Twitter was accused of not reporting within 72 hours and not documenting the data breach properly; they have accepted responsibility.

The problem relates to a bug affecting Android users which dates back to 2014, where under some circumstances private tweets could be made public.

Twitter cite staffing problems over Christmas 2018 as the main reason that things did not happen as they should, so what can we learn?

  • Make sure your personal data breach policy is documented, clear and everyone knows where the responsibilities lie
  • Train people on how to recognise an actual or potential data breach, and what to do about it (Christmas holidays are no excuse)
  • Consider running a simulation exercise once in a while

If you would like your data breach policy and procedure reviewed, why not get in touch? We can do this as a standalone piece of work, or as a part of our data protection review.