23 March 2018 #Data Protection
The news surrounding Facebook and Cambridge Analytica sends a clear warning to organisations holding and processing personal data - tighten up your data processing and let individuals know what you will be doing with their data!
While the investigations of any wrongdoing by Facebook are ongoing, Facebook founder Mark Zuckerberg has already admitted that there has been a “breach of trust”.
The news could not be more timely. In the EU (including the UK), the General Data Protection Regulation is coming into effect on 25 May 2018. Amongst the changes are increased fines for data breaches (which, for some breaches, could be up to 4% of annual worldwide turnover or €20 million, whichever is higher) and the requirement for transparency on processing data. Put into context, based on Facebook’s reported turnover in 2017, 4% of global turnover equates to approximately $1.63 billion.
The allegations surrounding Facebook relate to a personality quiz offered on the platform in 2014. The data from the responses (for around 50 million users) was then allegedly sold to Cambridge Analytica and used by political clients. Current allegations include that such data was used in the 2016 US presidential election campaign.
While the investigations have only just begun, the impact can already be seen, with the scandal reportedly wiping around $37 billion off the value of the business and some advertisers threatening to withdraw advertising. While Facebook says that it will change how it shares data with third party apps in the future, the damage has already been done.
While many organisations may think that such scandals will never affect them, given the need under the GDPR for data controllers to be transparent on their uses of personal data, all organisations need to be considering their position. Setting out the uses of personal data under a privacy notice will enable controllers to set out what they will do with individuals’ personal data. Abiding by this notice should then restrict the use of the data to confined boundaries and avoid any such negative press.
If you need any help compiling a privacy notice, or need to discuss the upcoming changes under the GDPR, please contact us at firstname.lastname@example.org