By Adam Simon, Global Managing Director
Several weeks ago, the Information Commissioner’s Office (ICO) launched a new awareness-raising campaign about the impending European General Data Protection Regulation (GDPR). The privacy regulator was facing an uphill struggle, with government figures suggesting just 38% of businesses have even heard of the sweeping new regulation. And then the Facebook/Cambridge Analytica news broke.
Information commissioner Elizabeth Denham may well be quietly thanking the social network. Few stories demonstrate so effectively why the GDPR was created, what can happen if firms ignore it, and why privacy should be at the heart of everything businesses do today.
There’s so much commentary out there on this compelling story that it pays to first revisit the hard facts. Data analytics firm Cambridge Analytica, the company that helped get Donald Trump elected, managed to collate a trove of Facebook data on 50 million users – most of whom did not give their permission. How did it manage to do this? Via a developer: Cambridge University professor, Aleksandr Kogan. His thisisyourdigitallife app used the Facebook Login feature which allows users to log-in to third-party apps via their Facebook credentials. If a user chooses this option, Facebook shares some of their data – including name, location, email and friends list – with the developer.
Unfortunately, back in 2015, Facebook’s T&Cs also allowed developers to collect limited info on those users’ friends. According to reports, this could have included info on those users’ locations and interests, photos, status updates, check-ins and more. From the 270,000 users who actively logged-in to the app, Kogan was therefore able to harvest data on 50 million. He then shared this data with Cambridge Analytica, breaking the Facebook terms of service. It’s reported that the analytics firm was able to find enough info on 30 million of these users to match to other records out there and build psychographic profiles of mainly US voters.
This self-styled “psychological warfare” tool allowed for the targeting of political advertising to swing voters in the US presidential election and potentially the EU referendum, it is claimed.
How is the GDPR relevant?
Although Facebook has since changed the offending T&Cs, limiting what developers can hoover up on users of the Login service, the story remains a timely reminder of why the GDPR was created in the first place. The regulation is all about giving internet users more control over their data, and forcing organisations which process that data to be more accountable and transparent. Another key principle is Privacy by Design: any new service or process must be designed with user privacy built-in from the start, not tacked on as an afterthought.
Facebook clearly failed to follow this principle when it first designed its Login service. It was also less than transparent in notifying users what would happen with their data. Hiding away information on small print T&Cs will not cut it with GDPR regulators – consent must be requested explicitly in plain English. Finally, it has been less than accountable, effectively blaming Kogan and Cambridge Analytica for the breach of its terms of service. As data protection lawyer Abigail Dubiniecki has argued, in the post-GDPR world “you can’t kick your liability down a chain and say ‘it wasn’t me it was a supplier’ or, ‘we had contractual language in there and they breached the contract, not our problem’.”
So what does this mean for ordinary businesses? The above may be an extreme example, but should serve as a cautionary tale nonetheless. The subsequent fallout from the revelations wiped nearly $40bn off Facebook’s value and led to a campaign for users to delete their accounts. Long-term customer trust may be hard to win back. In fact, recent RSA Security research claims that 69% of consumers would boycott a company that shows no regard for protecting their data.
Organisations must wake-up to the reality that user privacy is the new normal. Ignore it, and the GDPR, and your business will run the risk not just of potentially huge regulatory fines, but also long-term customer attrition and brand damage. On the other hand, those that embrace a privacy-centric model stand a great chance of building closer relationships with their customers based on mutual trust and respect. That’s the path to competitive differentiation and growth.