The news that Cambridge Analytica, the British political consultancy firm, and their parent company SCL Group has gone into administration must serve as a warning to businesses to place the processing of personal data at their core. This is especially the case with the impending GDPR regulations, coming into force on 25 May 2018.
Cambridge Analytica by their own wording “Data drives all we do. Cambridge Analytica uses data to change audience behavior.” has blamed a media blitz and stream of negative attention on driving away their client and supplier base to such an extent that they can no longer operate.
However, this does not mean that Cambridge Analytica will escape further, as the Information Commissioner’s Office (ICO) will still be continuing their investigation into the company for any suspected data breaches and contravention of the Data Protection Act 1998 principles.
Cambridge Analytica could therefore still face further sanctions, despite not being operational. Despite promises to work with the UK in the wake the scandal and an insistence that nothing done was illegal, Cambridge Analytica reportedly missed the deadline for providing information to the ICO.
The ICO which has been looking specifically into the British firm's handling of data harvested from millions of Facebook users, and raided its offices in March, said the inquiry would continue.
What does this mean for businesses?
Simply going into administration will not mean that the ICO will cease their investigation, so this should not be seen as a way to “escape” sanction.
All businesses (especially those that have data processing/harvesting at their core) must be transparent and open with individuals and ensure that individuals are fully informed, and where necessary, ensure that their explicit consent is provided.
To process personal data, a business must ensure it has the basis to do so, the main basis being:
- The performance of contractual obligations
- For compliance with a legal obligation to which the Data Controller (you) are subject
- To protect the data subjects vital interests
If relying on consent, this must be clear, explicit and demonstrable.