Could GDPR Have Prevented the Cambridge Analytica Scandal?
Unless you’ve recently taken an off-grid sabbatical in a remote cabin in the wilderness, you can’t fail to have noticed that the General Data Protection Regulation (GDPR) is drawing ever closer. Perhaps you've seen the slew of headlines around the Cambridge Analytica/Facebook furore, in which data obtained from a psychographic profiling quiz was reportedly used for micro-targeting and influencing the electorate.
GDPR: Privacy by Design, Not as an Afterthought
The existing Data Protection Act covers two key principles: that data collected is used for a limited, specifically stated purpose; and that sensitive information, such as political opinion, is protected. The GDPR that supersedes it, however, is a major step forward in privacy, granting consumers a much more comprehensive set of actionable rights relating to transparency, definition of purpose, and granularity of consent.
Facebook and Cambridge Analytica initially sang from the same hymn sheet, claiming they had acted lawfully throughout and that data was “harvested” rather than breached. But the opacity of data use was disingenuous to say the least, evidenced in tumbling share prices. In the aftermath, Messenger and Instagram users on Android have come forward to report that Facebook has been keeping complete logs of their incoming and outgoing cellular calls and SMS, based on their synced contacts. Sure, we’ve all clicked “I agree” to War and Peace-length user agreements or the vague statements of intent around cookies that pop up on our screen, but are we giving informed consent?
With GDPR, out go the current industry practices of myriad opt-out options, bundled consents, pre-ticked boxes, and back-door routes designed to grab as much personal information as possible. In come the “five commandments”, namely that consent is: Unbundled, Active, Granular, Named, and Easy to withdraw. With the right to be forgotten, you can ask any service provider that has any dealings whatsoever with the EU to erase your data forever, or hand it over to you in a portable format, and they are legally obliged to comply.
Is the Data-for-Service Model Broken?
It is often said of social media that “if you don’t pay for the product, you are the product”. But should we tacitly agree to some Faustian pact whereby our data can and will be used by those who pay the platforms – not just advertisers but political influencers – just so we can carry on enjoying the services for free?
In the wake of “Facebridge-gate”, digital consumers may well become more savvy and take greater ownership of their data, rather than simply expecting companies to do the right thing. However, the model of data in exchange for a service is still a valid one. Profiling, segmenting, and targeting groups of consumers is the very foundation of modern marketing, and most businesses understand there is a line between monetisation and manipulation. This whole sorry tale is a timely reminder that trust and transparency are hygiene factors to consumers, who have made an uneasy peace with being influenced and are much more willing to share their data if you give them a meaningful value exchange. They rightfully expect their data to be used within the context in which it was collected, by entities with whom they have a relationship, but don’t want their private information to be laid out like an all-you-can-eat buffet for corporate vultures to pick through.
Do as You Would be Done by
As privacy boundaries are constantly tested, GDPR provides a framework to protect us as individuals. In turn, it’s our professional duty to exercise GDPR – which enforces the kind of practices that engender customer trust anyway – in the organisations we work for. And with the data privacy hot potato showing no signs of cooling, we can expect GDPR to gain even more credibility and momentum globally. It is anticipated that, following GDPR’s coming-out party in May, regulators will grant a degree of latitude to businesses that can demonstrate best efforts towards GDPR even if they fall short of compliance. However, for companies that cynically kick their liability down the chain and point the finger at suppliers or business partners for breaching terms, don’t expect such leniency to be forthcoming.
Not GDPR-ready yet? Don’t panic! Our GDPR accelerator and bespoke assessments can help you identify and prioritise the gaps to be addressed. Find out more.