The GDPR more important than ever: Cambridge Analytica 'Big Data' Scandal

Cambridge Analytica has provoked international uproar for exploiting the data of millions to manipulate the US 2016 presidential election and the UK Brexit referendum, using data harvested from Facebook's mobile application, "Thisisyourdigitallife".

Facebook knew about the misuse years ago, requested the deletion of the data by Cambridge Analytica yet didn’t blacklist until recently. Facebook have terms of use for third parties and developers but it has had minimum security checks and controls.

Both Facebook and Cambridge Analytica have denied any wrongdoing. 

From a compliance perspective, the app was launched in 2015 and so was covered by the Data Protection Act (DPA).

But if it were to be in use after 25 May 2018, then the General Data Protection Regulation (GDPR) would apply. Here's how both Cambridge Analytica and Facebook would be implicated. 

Big data.jpg


Online identifiers and profiling 

The DPA only covers personal data and sensitive data. But Cambridge Analytica used data to psychologically profile people and deliver a series of content to manipulate their beliefs and values. The GDPR will not allow businesses to profile people without their explicit permission. The regulation covers online identifiers, profiling data subjects, and other data you have. 


Explicit consent 

The application was developed by University of Cambridge academic Aleksandr Kogan who has no connections with Cambridge Analytica. As was common with apps and games in 2015, the application was designed to harvest not only the user data of the person taking part in the quiz, but also the data of their friends. 

Facebook has since changed the amount of data that developers can scrape in this way. However, the General Data Protection Regulation puts responsibility on both the controller and processor. In this case, Facebook would have a responsibility to protect the data subjects and be transparent and explicit about how the data is to be used.

controller vs processor.png

Want to learn more about GDPR? Join our upcoming workshop


Time it takes to report a breach

Cambridge Analytica has been withholding information. Under the DPA, breach notifications are not mandatory. The business can decide who and what they report to the ICO. However, under the GDPR, breach notifications are mandatory and must be made within 72 hours or face huge fines. Penalties for breaches of the GDPR are substantial - sharing personal information and using it beyond the stated purpose will incur a €20 million or 4% of global turnover fine


GDPR changes.png


Time to get your data policies up to the mark!

According to the Global GRC Survey 2018, 99% of governance, risk and compliance professionals feel their businesses aren't fully prepared for the General Data Protection Regulation. 

Prepare for the regulation, get template policies, and ask questions by joining our GDPR workshopClick here to learn more.

Alternatively, download our GDPR toolkit



Topics: ISO 27001, GDPR

Share your thoughts on this article