In this piece I am not going to comment on the legality of the companies’ actions, that is for others to decide, and I don’t want to be sued(!!). Nor am I going to comment on the morals and ethics of what went on, because some will say it is outrageous and others will be less bothered and I am going to hide behind neutrality. I will simply look at what has happened through the lens of the GPDR.
The 270,000 people that took the online quiz on Facebook, where the data was scraped from, had no idea that their data was going to be shared with another company, nor did they know that all their friends’ data would be harvested as well. Under the GDPR organisations must inform an individual of what they will use the data for, who they will share it with, where it will be sent and for how long it will be stored for at the point of collection. Now imagine if you were about to take the quiz and you see a notice that says something like;
“By taking this quiz we will create a psychological profile of you, which we will share with Cambridge Analytica (but we’re not quite sure what they’ll do with the data) and we are also going to take the information of all your friends and send that to Cambridge Analytica as well (again we’re not entirely sure why they need this, but since we’re looking at your Facebook profile we might as well do it as we’re there).”
Would you sign up to the quiz? No of course you wouldn’t. This is precisely why the GDPR insists on transparency. Not only will it inform the individual what will happen to his / her data, but it will also rein in the worst excess of corporate data manipulation. Having said this, there is a responsibility on the individual to control their own data and privacy settings; if your whole world is visible to the world, then don’t be surprised if someone uses it in an unexpected, or indeed unsavoury way.
What is clear from the GDPR is that the data controller must know where the data has come from and where it is going to, i.e. to be in control of their data throughout the whole of the value chain. Being in control of the origins and destinations of the data it is processing then allows it to be transparent to the data subject about what is going to happen to the personal data that the individual is about to submit, or where it came from.
In the first instance, organisations need to understand where the data has come from. When consumers visit a company’s website and sign-up to receive marketing messages, newsletters and the like, then this is simple because there is a direct relationship. However there are many companies that have bought cold data lists in the past. Under the GDPR a company needs to understand whether the people in the list gave permission for their personal data to be shared. The days of the marketing list companies just trawling for data without getting permission from the individuals to share it and then selling it on are limited. The major consequence of this is that as people become more aware of their rights, it is the company that bought the list who will suffer the complaints and subject access requests, not necessarily the marketing list company. Reacting and dealing with these requests is going to take up an inordinate amount of time if companies don’t have a robust and well-rehearsed procedure.
By the same token organisations must know what is going to happen to the data that they give to a processor, or other organisation. Under the GDPR data processors may only process the data given to them for a specific purpose and once that purpose has been fulfilled, then the data must either be returned to the controller, or destroyed, with certification to prove that this has been done. Whether or not the data was indeed deleted is one bone of contention between Facebook and Cambridge Analytica, although I am sure there will be many more.
Therefore a data controller must know at all times the full lifecycle of the personal data that they collect, process and store from the point of collection all the way through to destruction.
The fall out
Already the stock markets have reacted by wiping $50 billion off Facebook’s market value. Mark Zuckerberg has been summoned to the House of Commons to face a parliamentary committee and to testify before Congress to answer for Facebook’s actions.
The Chief Executive of Cambridge Analytica, Alexander Nix, has been suspended. Also the ICO has applied for a search warrant to enter Cambridge Analytica’s UK offices. Once the investigation starts this will take a huge amount of management time and effort. Since it is a private company we are unable to quantify a monetary impact in the same way as Facebook, but perhaps there are shades of the Bell Pottinger catastrophe.
Mark Zuckerberg said in a statement on his Facebook page it was a breach of trust “between Facebook and the people who share their data with us”. He continued: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.
One of the key themes, as highlighted in Zuckerberg’s comments, is trust. If your customers cannot trust you with their data, then they are not going to use you in the future. This will mean a dramatic fall in your customer base and therefore revenues. So all organisations that process personal data, whether belonging to employees or customers, must ensure that they know where it came from, where it’s going and what will happen to it at each stage of the value chain.
In the course of my work helping companies to ensure that they are compliant with the GDPR, we have come across people who have stated that the GDPR is just red tape made up by faceless bureaucrats who have no idea about business. In light of these revelations about how some companies use and abuse personal data, I wonder if these same people are in the ‘outraged’ or ‘not bothered’ camps!!
There are many downsides to not being compliant with the GDPR; in this case $50bn wiped off Facebook’s market value and the loss of Cambridge Analytica’s CEO and an ICO investigation as well as massive media scrutiny.
But there are also some huge upsides and benefits from compliance, which is what we at The Data Guardians try to focus on more. If you would like to avoid the downsides and take advantage of the upsides then please visit our website to find out more on how we can help you, or contact us at firstname.lastname@example.org.