How Will New EU Laws Stop Firms Like Cambridge Analytica?
It was an unusual Friday night in London, especially around New Oxford Street, where Cambridge Analytica’s offices are being raided by UK’s data protection police – the Information Commissioner’s Office or ICO – in connection with claims that the company obtained personal data of millions of Facebook users without their consent.
The scandal has attracted the global spotlight merely two months before any company that processes data of EU residents (and especially professionals in the digital and data sector) will be legally required to comply with the new EU Regulation 2016/679, also known as the “General Data Protection Regulation” or “GDPR”.
What is GDPR?
General Data Protection Regulation or the GDPR is designed to empower individuals with greater control over their personal data.
The GDPR also benefits the business as it enables the free flow of data across the Digital Single Market as well as pushes for the creation of more cyber-security, which ultimately translates into greater reputation for the companies and more loyal customers.
The GDPR will apply to all EU member states and to any organization outside the EU that handles the data of EU residents, meaning it affects international companies including all British companies post-Brexit.
Why is it so important to protect personal data?
Personal data is a fundamental human right written in Article 8 of the Charter of Fundamental Rights of the European Union. In many cases, our personal data has been sold and used by many companies or organisations without transparency or our knowledge. That is why it is so important for us to be informed or give consent of how our personal data should be used.
What is a personal data breach?
Article 4 of the GDPR defines personal data breach as an “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed“. One of the key terms here is “accidental”, meaning that companies will be held accountable even if the breach was unintentional.
Now imagine what would happen if a bug on the website or app allowed any unauthorised people to view this information.
If our personal data gets into the wrong hands, politicians, fraudsters and even criminal gangs and terrorist organizations could use it to advance their purposes and inflict significant damages on the victims.
What is the company’s duty if it’s aware of a data breach?
“The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage”, according to the UK ICO website.
This is a major step towards protecting individuals as it will force businesses who value customer experience to think beyond merely paying fines. Compliant businesses will need to implement robust controls, regular audits, and reports as well as security around personal data.
What happens if the company fails to do so?
Any organization, European or non-European, large or small, that processes data of EU residents will be subject to expensive fines of up to €20 million or 4% global annual turnover (whichever is greater) should they infringe on the new data rights. Had Facebook been found in breach of this after 25 May 2018 and continued not to comply, it would have needed to give up on up to US $1.6 billion in fines.
One of the top qualifiers for such a hefty fine is a personal data breach, which is exactly what Facebook and Cambridge Analytica are being suspected for.
Personal data is nearly as valuable as our personal identification documents, and businesses who process, analyze and build products around that data can create enormous value to humanity. However, to ensure it stays in safe hands, more and more minds will need to come together to ensure it is handled in compliance with the new rules.
A quick scan of Cambridge Analytica’s employee profiles on LinkedIn reveals many data, analytics and tech experts, but virtually nobody with any kind of legal or compliance role. This will change very soon, and not only for Cambridge Analytica.