The 25th May 2018 implementation date of the General Data Protection Regulation (“GDPR”) is fast approaching and brings data protection legislation firmly into the 21st century. When I sat down to write an article that combined a digital theme and GDPR, I was wondering where to start, and then along came Facebook and Cambridge Analytica. Thank you Mark Zuckerberg and Alexander Nix. If Mr Nix was unknown before, the now suspended CEO of Cambridge Analytica is certainly in the headlines now.
It’s not been a good few weeks for the Facebook founder. Regulators are investigating the misuse of some 50 million Facebook users’ personal data, at the time of writing.
Private sector organisations are not currently required to report data breaches. GDPR will change this, as Elizabeth Denham, the Information Commissioner, highlighted in a recent Channel Four interview.
The impact on Facebook’s currently plummeting shareholder value along with the reputational damage and the potential fine penalty for the breach, combine to form strong reminders of the vital importance of sound data management.
So what happened to Facebook?
Cambridge Analytica had personality profiles on millions of Facebook users, using psychological profiles for a ‘big data’ approach to campaigning in the 2016 US Presidential elections; originally for Ted Cruz, and then Donald Trump when he became the Republican nominee.
Cambridge Analytica obtained this data via an app that was developed by a researcher from Cambridge University called Aleksandr Kogan. Users signed in using their Facebook accounts to access a personality quiz. The app collected data from only around 270,000 user profiles, such as name, location, age, gender, and their page likes. However, it also collected the same data from their friends, whose security settings allowed sharing their data through apps without any consent whatsoever, hence the grand scale.
Now the terms and conditions of the app, (bearing in mind the small subset who used it), apparently granted the right to use the data in broad scope, including selling and licensing the data. Facebook however understood the data was only to be used for academic research. This changed in 2013 when Kogan was approached by a UK affiliate of Cambridge Analytica going onto change the App terms from ‘research’ to ‘commercial’ in 2014.
Facebook is being accused of not policing who has access to users’ data hence the rather sticky situation they now find themselves in. So next time the ‘accept’ button displays, this is a good reminder to read the terms.
Carrying out a privacy check on your Facebook settings will confirm what information is being shared with friends or third-parties. Also consider why an app allows you to log on using your Facebook or Google password. Change your password and use different ones for different apps.
Facebook is not alone. The information Google holds on users is available to access here. A similar download app is available from Facebook here.
The story reminds us that if the service is free, then you may well become the product on offer. Data is valuable; it drives the targeted adverts we see when we browse. Technology will evolve beyond the fitness and health apps that measure our sleep and exercise patterns and the location apps that track our movements. In the future, when “The Internet of Things” is promised to integrate with household appliances, such as the fridge, even greater levels of visibility about our preferences and habits will be there.
Whether it’s morally wrong for websites to know that you like a certain wine or the date of your wife’s birthday may be unimportant. This is how they fund the free service to you and me, with companies willing to pay for their adverts to appear on your device when you check social media.
What is wrong is when users are deceived into sharing data they otherwise would not have shared, when users’ data is harvested, or used for a purpose other than that which we intended. Targeted advertising is one thing; attempting to influence unfairly is another.
The acts of Facebook and Cambridge Analytica could not have been better timed to demonstrate the reason why GDPR has been implemented as its premise to hand control back to the user. It’s where the ownership of data is restored back to the individual.
At BDO we are supporting our clients up to 25 May and beyond through readiness checks, impact assessments, breach response plans as well as on the overall governance of information. For more information on how BDO can assist with your ongoing GDPR requirements across the Channel Islands, contact Steve Desmond in Guernsey or Damon Greber in Jersey.
This article originally appeared in Contact magazine.