Cambridge Analytica has provoked international uproar for exploiting the data of millions to manipulate the US 2016 presidential election and the UK Brexit referendum, using data harvested from Facebook's mobile application, "Thisisyourdigitallife".
Both Facebook and Cambridge Analytica have denied any wrongdoing.
From a compliance perspective, the app was launched in 2015, it is covered by the Data Protection Act (DPA). But if it were to be in use after 25 May of this year, then the General Data Protection Regulation (GDPR) would apply. Here's how both Cambridge Analytica and Facebook would be implicated.
Online identifiers and profiling
The DPA only covers personal data and sensitive data. But Cambridge Analytica used data to psychologically profile people and deliver a series of content to manipulate their beliefs and values. The GDPR will not allow businesses to profile people without their explicit permission. The regulation covers online identifiers, profiling data subjects, and other data you have.
The application was developed by University of Cambridge academic Aleksandr Kogan who has no connections with Cambridge Analytica. As was common with apps and games in 2015, the application was designed to harvest not only the user data of the person taking part in the quiz, but also the data of their friends.
Facebook has since changed the amount of data that developers can scrape in this way. However, the General Data Protection Regulation puts responsibility on both the controller and processor. In this case, Facebook would have a responsibility to protect the data subjects and be transparent and explicit about how the data is to be used.
Time it takes to report a breach
Cambridge Analytica has been withholding information. Under the DPA, breach notifications are not mandatory. The business can decide who and what they report to the ICO. However, under the GDPR, breach notifications are mandatory and must be made within 72 hours or face huge fines. Penalties for breaches of the GDPR are substantial - sharing personal information and using it beyond the stated purpose will incur a €20 million or 4% of global turnover fine.
Time to get your data policies up to the mark!
Alternatively, download our GDPR toolkit.