Cambridge Analytica and the ICO
I first heard about a company called Cambridge Analytica in January 2017. Having an interest in data protection matters due to the nature of my work, I was actually fascinated by a company that claimed it could assist political campaigns to produce highly precise targeted Facebook ads and that their services were employed by both the Trump campaign and the Brexit Leave campaign.
Cambridge Analytica are a British company who operate out of London. As such, they are subject to UK data protection law. The furore over the past 24 hours concerns data acquired by a company about Facebook users under the pretext of academic research. This data was then sold onto another company – Cambridge Analytica, whose intention was to use it very differently.
Cambridge Analytica it seems, hold Facebook data on people who have not agreed to share it directly with them. For clarity, this is not a data breach contrary to what has been described in a great deal of global media coverage over the past 24 hours.
The Information Commissioners Office (ICO) have said they shall apply for a warrant to search computers and servers used by Cambridge Analytica amid concerns about the company’s activities.
The Information Commissioner – Elizabeth Denham, has criticised Cambridge Analytical for being “uncooperative with her”. The fact however that Cambridge Analytica have been alerted to the ICO’s intended application for a court warrant detracts from the impact that a sudden inspection would have had upon the offices and indeed personnel of Cambridge Analytica. Such a warrant shall take time to acquire and it is required under the current law (the Data Protection Act 1998) as the ICO have no such powers to inspect at will.
Under the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018, the ICO shall enjoy much wider investigative and corrective powers under Article 58 of GDPR.
These will include the power to undertake on site data protection audits, the power to issue public warnings, reprimands and audits to carry out specific remediation activities. If such a situation as with Cambridge Analytical today was to arise after May 2018, the ICO would be able to order the company or organisation in question to provide virtually any information it would require to perform its tasks.
Applied to your own company, awareness of these investigative powers the ICO shall gain shortly, should be considered when determining data protection policies both internal and external to your company. Transparency and record keeping will both become accepted practices over time.