Niall McMullan, associate partner at Worthingtons Solicitors, writes on the value of personal data ahead of the EU General Data Protection Regulation (GDPR) entering effect.

The past week has seen the issue of personal data thrown into the spotlight again, as a result of accusations that social media giant, Facebook allowed Cambridge Analytica, a political consultancy firm, to harvest the data of 50 million users for political means. Such controversy only serves to highlight further the importance of personal data usage by controllers in the current climate where the GDPR legislation is imminent.

This story begins in 2014 with an app called ‘ThisIsYourDigitalLife’, created by Aleksandr Krogan, an academic from Cambridge University, for the purpose of rolling out a personality test on the social network. Some 270,000 volunteers were paid to log into Facebook and have their personal data collected for academic use. Data collected by app developers on the social network was not supposed to be used for advertising or sold to 3rd parties.

It is alleged personal data harvested by this Facebook app and transferred on to Cambridge Analytica has assisted in the election of Donald Trump as US President and was used to support the ‘Vote Leave’ Brexit Campaign. Cambridge Analytica allegedly used the personal data of the individuals to psychologically profile people and deliver pro-Trump material to them. Clearly such volumes of personal data falling into the right hands can prove extremely useful and can be used for such devices as marketing, advertising and research and ultimately, to further organisations’ political, economic or social aims. This is why personal data is valuable.

Facebook has always felt like a safe space, a place where everyone knows your name, what football team you support and your favourite holiday destination. Indeed, we have become so comfortable with sharing details of our lives and daily routines on social media that the revelations that Facebook has allegedly allowed, without our consent, such personal data to be harvested for someone else’s political gain feels like a serious violation of trust. It is this misuse of personal data that is most concerning.

The blurring of control and consent of personal data is what the GDPR, due to come into force on 25 May this year, set out to directly tackle. Everyone who uses the internet to browse websites will be familiar with the need to ‘opt out’ of a range of services including the analysis of data and cookie tracking. However, from May this year organisations will require individuals to provide positive consent for their personal data to be processed and held.

Post-GDPR, personal data is back in control of the consumer, and companies, to include employers, must therefore be alert to what individuals are entitled to request about what data is being held about them, as well as the right to be forgotten. Crucially, individuals are entitled to greater transparency as to how their personal data is being held, used and processed. The emphasis is on organisations to ensure that they negotiate this new opt-in world successfully come May 25, or face potential fines of up to €20 million or 4% of their annual turnover.