Turns out it’s data, not diamonds, that’s a girl’s best friend…
In 2014, Facebook invited its users to complete a personality type quiz. It was designed not only to obtain the data of the individual completing the quiz but also their friends’ data. Facebook has since changed companies’ abilities to obtain information this way.
Christopher Wylie, who worked with Cambridge Analytica, alleges that the data of some 50 million users, mainly in the US, was taken without their explicit consent via their friend networks. It is alleged that the data was sold to Cambridge Analytica. Cambridge Analytica offers services to businesses and political parties claiming to analyse volumes of consumer data combining behavioural science. This identifies people who organisations can target with marketing material. It is alleged that the data from the quiz was used to psychologically profile people and deliver pro-Trump material to them. Cambridge Analytica denies these allegations.
Facebook say that when they discovered their rules had been breached, they removed the app and demanded assurances that the information had been deleted. Cambridge Analytica claims that it never used the data, and deleted it when Facebook told it to.
Both Facebook and Cambridge Analytica deny wrong-doing but will now be the focus of scrupulous probes and investigations on an international level. Mark Zuckerberg, the founder of Facebook, has been asked to testify before US Congress; in the UK, he has been summoned by Parliament to explain Facebook’s failure and the European Parliament has also said it would investigate. The UK Electoral Commission is also investigating what role Cambridge Analytica played in the EU referendum.
This latest frenzy highlights how valuable our personal data is and how easy it is for firms to use and manipulate it for a completely different aim or objective entirely. But this isn’t new. As social medial and technology have developed, data has always been a prized commodity. What is new is that the Facebook/Cambridge Analytica story is making users think. It is making them wake up to just how much information is stored about them. The real question is whether this breaking news story will make anyone act any differently? How many people do you know that have actually deleted their Facebook account in light of this story?
Whether or not users are live to the issues of data collection and storage, firms need to be. Why? Because GDPR, a new set of rules, is coming in on 25th May 2018 and will apply to all organisations that collect or retain personal identifiable data from any European individual.
The aim is to standardise data privacy laws across industries, ensuring fundamental rights of individuals are protected in today’s increasingly data-driven digital economy. Some issues the regulations deal with are consent, record keeping and privacy notices.
Do you find yourself thinking…
… “My company has never had a problem with data protection before, I’m not going to bother myself with the new GDPR laws, I’ll just carrying on doing what I always have been?”
If so, think again.
The penalties imposed for failing to comply with the GDPR are severe; ignorance of the law will not be a defence. Any practice in breach of GDPR can be fined up to 4% of annual global turnover (not profit) or €20 million – whichever is greater. This fine can be imposed for the most serious infringements, for example for not having sufficient customer consent to process data. Organisations can also be fined 2% for not having their records in order, or for not notifying the supervising authority and data subject about a breach, or not conducting impact assessment.
From a user’s point of view, the GDPR gives them a number of rights including:
1. The right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
2. The right of access
Individuals will have the right to obtain confirmation that their data is being processed and access to their personal data
3. The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
4. The right to erase
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
5. The right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data.
6. The right to data portability
This allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7. The right to object
Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority, direct marketing (including profiling) and processing for purposes of scientific/historical research and statistics.
8. Rights in relation to automated decision making and profiling
Automated individual decision-making is a decision made by automated means without any human involvement. For example, an online decision to award a loan. Solely automated individual decision-making, including profiling with legal or similarly significant effects is restricted.
Whether you are an individual or organisation, safeguarding data, either your own or that of your customers is of great importance.
If you have any questions about the content of this article please feel free to contact Jigna Varsani on 0207 388 1658 or by email- firstname.lastname@example.org.
Please note that the information contained in this article was correct at the time of writing. There may have been updates to the law since the article was written, which may affect the information and advice given therein.