By Martin on 22 May 2018
Can you believe we're nearly halfway through 2018 already? Poor old Mark Zuckerberg has been through the ringer altogether despite surpassing Christianity in terms of follower count. The year started out with the social media giant receiving flack for their algorithm changes. A short time later, things really hit the fan when it emerged that a data analytics company called Cambridge Analytica had been scraping data through Facebook apps and using it for a range of reasons, including influencing the US Presidential elections. Poor old Zuck ended up in front of Congress and all defending Facebook.
Would you believe, another Facebook app has emerged which has leaked data to 280 tech companies.
Facebook is perhaps indicative of the marketing wild west that's existed in recent years where people's personal data has been exploited for corporate gain. The EU is seeking to stamp this out with the General Data Protection Regulation. While some remain sceptical that GDPR will have a massive impact on how business is carried out, I'm going to show how GDPR's key seven principles could have saved Facebook's data protection blushes.
Seven Principles of GDPR
Ok, so let's get the non-sexy stuff out of the way. GDPR is built on seven core principles:
- Fair and Transparent Processing
- Specified and Lawful Purpose
- Minimisation of Processing
- Accuracy
- Storage Limitation
- Security and Confidentiality
- Liability and Accountability
Rather than simply giving you the super exciting details of what all of these mean, I'm going to show you how these could have prevented Facebook from finding itself in hot water altogether.
Fair and Transparent Processing
The first principle of GDPR states that personal data should be:
processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
I prefer to adopt "say what you do, do what you say, mean what you say", but only because it's more digestible. In short, all of this means you should, when dealing with people's personal data, be honest and open about what you'll be using it for; say what you do. So, how could this have helped Facebook?
The crux of the Facebook scandal was a third party app created by Aleksandr Kogan called This Is Your Digital Life. The app posed as a personality quiz which harvested people's responses and personal data along with the data of friends they had also connected with on the social media platform. Users had no idea that behind the scenes their data was being passed from pillar to post and would eventually be sold onto Cambridge Analytica. Here, this data was used to influence the outcome US election which saw Donald Trump made President.
The very first principle of GDPR demands that Facebook should inform users exactly what will happen with the data they provide. Straight away, that's how easily this could have all been avoided.
Specified and Lawful Purpose
Right, I'll admit that this one is a mouthful. Personal data should be:
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
But in short, it's rather simple and still runs along my simplified approach to GDPR - "say what you do, do what you say, mean what you say". This principle focuses on the "do what you say" part.
If you've acquired a list of emails for a newsletter, great. You should send these people the newsletter they no expect to get. However, did you also tell them you're going to be uploading that data to Facebook to build a custom audience? From now on, it's important that you only process people's data in line with what you've told them you'd be using it for.
You can already see from the first principle how GDPR would have prevented so much of Facebook's woes. If they told people that their data would be harvested in the quiz and sold on to a third party, either fewer would have been affected or at least they would have known what they were letting themselves in for.
Minimisation of Processing
If I was to have a favourite GDPR principle, it would definitely be the third principle: minimisation of processing. This principle states that personal data shall be:
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
This leans heavily on the specified purpose of processing and demands that you only process data to achieve what you'd told people you wanted to use their data for. Again, if you've built a newsletter list purely for sending a weekly email, don't upload data to Facebook as a custom audience just because you have it.
So, what about Facebook?
While Facebook's world was falling apart and Mark Zuckerberg was appearing on CNN to defend the social media giant, another sneaky little story emerged about the Android Facebook Messenger app. As a result of Cambridge Analytica, some concerned users went digging around their phones to see what other data Facebook was harvesting. Sure enough, Android users found the Facebook Messenger app was storing months of call records and SMS data locally on people's phones.
If Facebook was adhering to GDPR and "minimised" the amount of data they processed, this would have been avoided. The app worked perfectly fine on iPhone without this data as Apple does not allow this particular data to be tracked. In a blog post published by Facebook, the platform defended itself by clarifying that users did need to opt-in, but didn't outline why the data was being collected in the first place. From this, I can go a step further. Facebook also didn't explain why the data was processed while giving the impression of a contact upload.
That's a twofer! Not minimising the data processing and also not providing a clear and transparent purpose.
Accuracy
Data protection and GDPR isn't just about making sure you don't leave a USB stick on the bus. It's also about making sure all the data you have on people is accurate. To be exact, the fourth principle states that personal data should be:
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
Generally speaking, this means if someone wants their data updated and request it updated, you have a responsibility to adhere to their wishes. This includes people requesting a change to their marketing preferences.
It's also important to remember that consent has a twelve-month shelf life and if you haven't contacted your email list in the twelve months since obtaining consent, you'll need to repermission them.
Facebook permitted third-party apps to access the data of users and their friends for many years, even after the loophole was pointed out to them. Since the scandal, Facebook has implemented new policies which state apps unused for three months will have their permissions revoked.
Storage Limitation
This is another simple enough principle, but a bit of a doozy in the actual regulation itself. It states that personal data should be:
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
A practical example of this is Excel files full of personal data. If you harvested this data legitimately for Facebook audiences or newsletters, once you have uploaded them to the third party service, delete the original file. If the data was only acquired for on campaign, delete the list from the third party when the run is complete. Only keep the data as long as you need it.
This was another low point for Facebook during the Cambridge Analytica scandal. Cambridge Analytica had data from millions of Facebook users and the social giant did request Cambridge Analytica delete any data they had. Cambridge Analytica said they did (they didn't) and Facebook never followed up.
While Facebook could probably do little at this stage, they should have had measures in place which ensured they could remove or restrict access to the data later on. For smaller companies, Google Sheets are great for this as you can revoke access from people whenever you like and your data processing agreement should dictate how they handle any data acquired from your relationship.
Security and Confidentiality
Another fairly simple one and one which you can start acting on straight away. The sixth principle of GDPR states that data should be:
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
Security doesn't necessarily mean working in Fort Knox and can be as simple as locking your PC when you go for a coffee or lunch break and ensuring your machine is encrypted. This means that when you're away or if your machine is lost or stolen, the significance of any data lost is greatly reduced.
Again, some of the points and principles I've covered already are making this one easier to explain in terms of Facebook avoiding the Cambridge Analytica sized scandal that they had. Had the ensured user data, and the data of their friend, was secure it would have been avoided. Had Facebook locked down the problem, the significance would have been reduced. Facebook could have gone further to ensure deletion and protection of the data that Cambridge Analytica had. Of course, that's really obvious now.
Liability and Accountability
The final point looks at who is liable and accountable should the mishandling of data take place. Facebook took a few days to respond to the scandal and first pointed fingers at Kogan, whistle blower Christopher Wylie and Cambridge Analytica for misusing people's data. Sure, these people all played a part, but they used Facebook's platform. There were gaps in security and poor protection practices everywhere which turned this into a powder keg of personal data breaches, resulting in the data of over 87 million Facebook users finding its way into the hands of a third party.
The Wolfgang Essential Takeaway
Right now, it's very easy to think GDPR is a pain in the arse. Your inbox is filling with repermissionings as brands and companies frantically seek to gain your "explicit consent". All in all, I hope you can see from all of this that pretty much any one of the key principles that GDPR is built upon could have stopped Facebook's Cambridge Analytica scandal. The days of the wild wild west in marketing are over as we moving into an era which focuses more on meaningful digital connections between brand and consumer.
