Since the news broke of what Cambridge Analytica had done, there has been a media frenzy of different stakeholders reacting, accusations being thrown around and public outrage of what is considered a gross breach of trust of consumers. Suffice it to say, that Facebook has a lot of assurances to hand out to their angry consumers.

With the adoption of the General Data Protection Regulation (GDPR) and its long overdue enforcement, will incidents like this be deterred?

Let’s make some sense out of all the noise surrounding the issue and answer this question.

What in the world has happened?

Cambridge Analytica (if you visit their webpage: https://ca-political.com/) as a company claims that they lead data-driven political campaigns which given the political arena today seems like a rather smart thing to do. However, the question arises: How do they get access to this data and how do they collect it?

This is where the problem lies: because in 2014 Cambridge Analytica acquired data from 50 million Facebook users and THEIR FRIENDS without them being made aware of it…

 

…to build psychological profiles of consumers to effectively target them with content to carry out political campaigns.

The primary issue within data privacy in this case as well as in general has been about getting informed consent. The fact that the people, or Data Subjects as they are referred to by the GDPR terminology, did not know that their data and their friends’ data was used for exactly the purpose it was used for aka: political campaigning is problematic. And this is where the GDPR steps in.

GDPR – the savior?

GDPR makes it incumbent for companies to gain the informed consent of the person whose data is being used in three ways:

  1. It makes it necessary for them to collect only the data that is aligned with the purpose of the company itself along with a legal justification of that purpose
  2. The company also has to make sure that it gains the consent of the person in a clear and concise manner (so goodbye huge-ass, complex, consent-taking essays).
  3. It also gives the person the right to withdraw their consent at any moment so in the case, that the person gets to know that their data is being leveraged to design a political campaign for a candidate they don’t like, they can easily retract their approval.

Another thing that the GDPR does is that it makes it mandatory for companies to list their processes, document their processing activities and make maps to ensure transparency for their consumers as well as the authorities.

Did Facebook have Technical and Organizational Measures in place to deter these kinds of incidents? Who knows? But if they did, clearly they were not effective enough since a third party aka Cambridge Analytica was able to harvest it to their advantage through their application. The enforcement of the GDPR ensures that the path that data and their related processing takes in the corporation is documented so that the Data Subject knows exactly what their information is being used for.

It also puts the pressure on C-level executives to take proper measures to comply since they are held personally liable for breaches. So yes, it is in the personal interests of CEOs to make sure that slips like these do not happen.

In short, after the enforcement of the GDPR incidents like these will be heavily penalized as well as prevented to a degree due to the documentation of processes as well as the imposition of heavy penalties. In a post GDPR world, what Cambridge Analytica did, for all intents and purposes will be illegal. The failure of Facebook’s processes would essentially be severely punished as well.

So yes, we definitely believe that the GDPR will be a hero of sorts and will empower people through greater autonomy over their data.

If you want to know how we can be the Robin to your GDPR, book a demo with us!

Disclaimer: the picture in the featured images has been taken from AIB (http://allindiabakchod.in/)