‘For anyone needing a reminder of the organisational importance of ethical data handling the Cambridge Analytica / Facebook story does just that’. The fact that one of the largest processors and holders of user data in the world has been caught wanting this close to the new data protection regulations, is at first almost hard to believe. However, you will most likely find that most organisations would be in a similar predicament with even just a little bit of digging. Such is the pressure internally for organisations to drain every single penny possible from the data that they hold, that basic data protection processes are often overlooked and misuse evitable.
As if that wasn’t enough, it was discovered that Facebook had also been collecting the data from users’ phone calls and text messages. There have also been reports of people, upon downloading files containing all of the information collected by Facebook on them over the years, finding that the company had retained a detailed history of the phone calls they had made in the past two years, including phone numbers, names and the length of time for each call. In some cases, Facebook had been collecting this information without explicit consent from users, taking advantage of the way permissions are granted to applications on Android devices, which have access to call logs.
GDPR will completely change the way organisations are allowed to use customers personal information – gone will be the days of unnecessarily complicated, unclear small print terms and conditions. Organisations and Data Processors will have to inform customers in a much more transparent way for what and for how long they will be using their data and then they will have to delete it afterwards.
Under the new GDPR regulations, third-party companies are essentially an extension of your organisation, as they will be held accountable for any data processing work done that is not following the new regulations. Organisations will now have the responsibility of full transparency about their use of third-party services and what those third parties are using their customers’ information for. A point that has come into sharp focus through Facebook’s involvement with third parties such as Cambridge Analytica. In turn, organisations should be obtaining written assurances from their third party suppliers of the processes they are putting in place to be compliant with the new regulations. Contracts with third parties will now have to include details of how customer data will be handled in compliance with GDPR.
Case in point, Facebook announced a change involving limiting the type of information that can be accessed by third-party applications. The company will no longer allow developers to access the guest list or wall posts of an event scheduled on Facebook, while developers seeking to access the data of Facebook group members will first need to get the permission from a group administrator to ensure “they benefit the group”.
Look out for Part 2 of ‘Lessons learnt from the recent Facebook and Cambridge Analytica Saga’ coming soon…
Interested in learning more? Watch a replay of our recent UX and GDPR webinar here