Facebook, Cambridge Analytica and GDPR: The Changing Landscape of Privacy and Data

  • 26 Apr 2018

With the lens of the media fixed firmly on Facebook these past few weeks, the public have never been more aware of their digital footprint and how it can be exploited. Mark Zuckerberg has been the focus of the Cambridge Analytica scandal and was called in front of Congress to answer for Facebook’s part (or arguably, complicity) in it. However, the Cambridge Analytica scandal will have wider repercussions for any organisation that holds data on its clients. After all, if a person’s data can be harvested through their Facebook profiles along with millions of others in order to manipulate political opinions and potentially influence elections, people are going to become very wary about what their data is being used for.

What is the Cambridge Analytica breach?

  • Potentially 87 million Facebook profiles were harvested by a UK-based academic, Aleksandre Kogan, and his company Global Science Research.
  • Kogan attained the data through an app that allowed participants to be paid to take a personality test, but it also collected data about those participant’s Facebook friends without their consent.
  • Kogan then sold this data to Cambridge Analytica, who used the information as part of their “behavioural science” approach to target people with ads and marketing material.
  • The Trump campaign used Cambridge Analytica’s services to identify voters who were deemed the most easily persuaded and target them with content and ads that influenced their political opinions.

Given the profound effect of the Facebook and Cambridge Analytica scandal, the impact is sure to be far-reaching. With wider awareness of what happens to our data, online habits and attitudes are sure to change and there will be a knock-on effect on businesses and organisations.

Data and GDPR

The biggest change in how organisations store and protect data needs to happen before May 25th of this year. Even before the Cambridge Analytica scandal came to light, GDPR – the General Data Protection Regulation – announced a new set of rules that companies have to abide by or face serious fines. Facebook’s very public disgrace has however brought the issue to the forefront of everyone’s minds.

The EU’s GDPR states that all companies with personally identifiable information on EU residents must comply with the new rules or potentially face stiff fines after the penalties come into effect on May 25th 2018.  It sets up new rights for residents, such as the right to be forgotten, the right to move their data and to object to the processing of their data.

It explicitly requires companies to communicate clearly the data they collect, its use, and who that data is shared with, in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

As an example, for an email newsletter, that information must be collected entirely optionally, explicitly opt-in (no more de-selecting checkboxes before submitting forms), and should have notices on how the company will use the data submitted (in this case, only for the purposes of sending a newsletter), and who it will be shared with (no-one other than the company, in this example). With Facebook’s murky use of data continuing to feature prominently in the news, people may well be less inclined to tick boxes saying that their contact details can be shared, potentially erasing an email marketer’s bread and butter for targeting consumers.

Facebook Advertising


As is always the case following a data breach, the reputational damage has had a financial knock-on effect for Facebook. Mozilla announced that they would be “pausing” their advertising with Facebook until “Facebook takes stronger action in how it shares customer data, specifically strengthening its default privacy settings for third party apps.” As responsible use of data becomes a growing priority, other advertisers are sure to follow.

For many businesses, Facebook is an important tool for engaging customers, but not at the cost of compromising customer privacy. Businesses are starting to reconsider whether the terms and conditions of their third party networks align with their values, and whether or not they are in the interest of the consumer. The dating app Bumble has recently announced a new way for users to login without Facebook, and businesses who want to offer consumers ways of engaging with them without Facebook will no doubt follow suit.

Bring Your Own Device

With remote working and workday flexibility becoming the norm, people are increasingly using their own devices at work – a practice known as Bring Your Own Device (BYOD). However, the merging of business and pleasure in one device becomes highly problematic when dealing with sensitive data. WhatsApp (incidentally, owned by Facebook) is one example of a commonly used channel of communication, but having it on a device along with all of your work contacts puts you in direct breach of GDPR, as the app accesses and stores all of the contacts on your phone.

The revelations about Facebook that have come to light during Zuckerberg’s congressional hearing may have been a shock to the senators, but if you look at the terms and conditions of using the Facebook and Messenger apps it is in plain sight. Messages, videos, links, images are all being scanned by Facebook artificial intelligence. Although encryption is an option, it is turned off by default. This means that if you have a phone that you use for work and you’re using Facebook or Messenger to communicate about work matters, then you are exposing that data to a third party. Even if you don’t use Facebook or Messenger on the device you use for work, some Android users found that their SMS and call logs had been scraped anyway by Facebook. Therefore organisations are going to have to rethink their BYOD policy if they are to keep control of their own data.

The Facebook/Cambridge Analytica scandal has had an unprecedented impact on the way lawmakers take notice of consumer data privacy rights. Mark Zuckerberg being hauled in front of congress in order to be questioned about the breach shows how seriously it is being taken and is surely a sign that GDPR is not the last change in data protection law that we are going to see over the next few years. For consumers, this will hopefully be a good thing in the long run, and for businesses, it is time to review data practices and plan for big changes in the digital landscape.


YUDU Sentinel is an app based crisis communication platform for the management of fire, terrorist and cyber attacks, or any other critical incidents. Crisis managers have immediate access to an independent two-way communication (SMS, voice, email and in app messaging) and can view key documents on mobiles. Sentinel is a cutting edge crisis management tool. Find out more at www.yudu.com/sentinel or contact us on Twitter @YUDUSentinel.

More on