With the GDPR looming ever closer, Facebook, along with a UK-based consultancy firm, has hit the headlines this week for an alleged breach of data protection laws.

Cambridge Analytica, who provide political consultancy services, has been accused of using the personal data of 50 million Facebook users to influence the US presidential election in 2016. The accusations came after a whistleblower, who used to work at the firm, raised concerns about a Facebook quiz that allegedly collected and then sold users’ data without their explicit consent onto Cambridge Analytica – with a view to profiling the individuals and delivering pro-Trump propaganda to them.

The UK’s Information Commissioner, Elizabeth Denham, published a statement at the weekend confirming that the Information Commissioner’s Office (ICO) are “investigating the circumstances in which Facebook data may have been illegally acquired and used”. On Monday, Ms Denham also confirmed that a “Demand for Access” had been issued for records and data in the hands of Cambridge Analytica.

Mark Zuckerberg, the Facebook tycoon, has even been asked by the Chair of Parliament’s Digital, Culture, Media and Sport Committee to appear before it to give evidence.

Cambridge Analytica denies any wrongdoing, but Facebook decided to suspend the firm last week.

In related news, following an investigation by the ICO, WhatsApp has now signed an undertaking publicly promising not to share personal data with Facebook until they address their data protection issues and can do so in compliance with the GDPR.

It’s clear that nobody is immune to scrutiny when it comes to an individual’s rights to have their data properly protected. Under the current Data Protection Act, organisations must have legitimate grounds for collecting and using personal data (which can include consent). The grounds and conditions for gathering and processing sensitive personal data (such as information relating to an individual’s race, political opinion, religious belief, health etc) are even more stringent.

Come 25th May when the GDPR comes into force, the focus on lawful processing will heighten, as the new legislation places more emphasis on organisations on being accountable for, and transparent about, their lawful basis for processing.

Failing to comply with new regulations could leave organisations open to enforcement action by the ICO, which could damage their public reputation (as seen with Facebook with a plummet in its share values this week), as well their bank balance.

For further information or advice on your obligations under data protection law and on preparing for the incoming GDPR, please do get in touch.