With much of the business world focused on complying with the stricter rules on protecting personal data under the imminent GDPR, the revelation that the Information Commissioner’s Office was applying for a warrant to search the offices of Cambridge Analytica probably sent a shiver down the back of even the best prepared company.

Channel 4 News’ undercover investigation, during which senior executives at Cambridge Analytica explained how they used personal data, originally mined from Facebook, to influence elections using unsavoury, even illegal, tactics, revealed the extent to which personal data can be used and abused.

Facebook data harvested by Cambridge Analytica

It appears from the media reports that the data (relating to some 50m individuals in total) was originally harvested from a Facebook personality quiz using an app developed by a Cambridge academic, Dr Kogan, for Cambridge Analytica. They used the data to create psychological profiles of people (without their knowledge) – which, it is alleged, prompted the company to start using the data for more nefarious purposes. It is alleged that both the Trump and the pro-Brexit campaigns benefited from Cambridge Analytica’s data manipulation services. The role of Facebook is not entirely clear; according to the BBC report, Facebook maintains that Dr Kogan ‘violated the site’s policies’. Regardless, when they discovered how the data was being used, it removed the app and demanded the data be deleted. The claim is that Cambridge Analytica did not delete the information which led to Facebook sending in officials to check – and the Information Commissioner’s subsequent investigation and application for a warrant to conduct a search.

Facebook, although insisting that they did not authorise the use of this data in any way, has found itself on the back foot, reflected in the rapid, significant drop in its share value. At a Commons Select Committee inquiry last year, the company failed to convince MPs that they were meticulous about looking after their users’ information and this latest scandal is unlikely to help their cause to be seen as a scrupulous custodian of personal data.  

Management of personal data must be meticulous

The revelations come at a particularly sensitive time: organisations all around the EU are preparing for the impact of GDPR which will require them to be meticulous about the way they store, manage, and process personal data. Any companies which may have decided to take a more relaxed approach to their GDPR compliance obligations should probably be re-evaluating their attitude to the regulations.

One could argue that this incident couldn’t have come at a better time for those responsible for ensuring GDPR compliance and who are still trying to convince colleagues to take the new regulations seriously. On the face of it, the regulations may seem onerous, not least the necessity for acquiring active, opt-in consent for the sending of marketing communications, for instance. In other areas of the business, other legal bases, such as the performance of a contract or legitimate interests, are all hot topics of conversation as businesses try to seek ways to legitimise their data processing in a way that avoids relying on consent, especially now we, as data subjects, can withdraw our consent and potentially cause chaos to those who rely on our consent to process our personal data.

However, it is beholden on all businesses to assess what they need to do in order to comply – and the Information Commissioner has demonstrated that she won’t shy away from investigating allegations of data misappropriation or misuse. Nonetheless, she has, on the ICO website, made it clear that if a company is already compliant with current data protection legislation, then the step to becoming GDPR compliant is a relatively short one.  

Don’t ignore the GDPR

The fall-out from the Cambridge Analytica / Facebook debacle is a sobering tale of how deeply social media platforms can delve into our lives without us really understanding the length of their reach. The vast majority of companies with access to personal data only tend to use it for relatively limited purposes but this current scandal should serve as a timely warning for anyone tempted to try and side step the regulations, to knuckle down and get their house in order. The Information Commissioner has made it very clear that she and her office are not to be trifled with.

About the author

Christine Jackson Partner

Christine advises on a wide range of supply chain, commercial and intellectual property related matters in the technology, retail, sport, transport/logistics and waste management sectors.