As we are all more than aware, the news has been awash with the Facebook Cambridge Analytica scandal in recent weeks. While the issue of data privacy (or the lack thereof) is nothing new, the Cambridge Analytica scandal comes at a time when new European Data Protection laws (GDPR) are soon to come into effect and companies across Ireland and the rest of Europe which handle personal data need to be prepared for this.

I attended a conference on GDPR at the start of March to get a better understanding of what all companies and organisations that handle personal data need to do in order to be compliant with GDPR when it comes into effect.

The overarching theme that was repeated by each and every speaker at the conference was that it is not enough for companies to "be compliant" with GDPR, but that they must also "be able to prove compliance" with GDPR.

In the corporate department at Leman Solicitors one of the main areas of work we advise companies on is obtaining investment from a mix of VCs, private equity houses and corporate finance houses. In preparing for any investment, the first thing a company needs to go is "get investor ready". We have given many presentations and roadshows in the last few years to companies on "getting investor ready" . This essentially is a lesson in good corporate housekeeping for would be investee companies:

  • ensuring statutory registers are maintained and up to date;
  • ensuring all filings have been made in the Companies Registration Office;
  • ensuring written contracts with clients and suppliers have been entered into and are held on record;
  • ensuring employment contracts are in place for employees;
  • reviewing terms of any existing shareholders' agreements;
  • ensuring all intellectual property used by the company is properly documented and registered in appropriate registries where necessary.

Listening to the speakers at the GDPR conference and speaking to attendees that were present, it struck me that an additional issue that all companies seeking future investment (and particularly tech companies that handle large volumes of personal data) will need to consider and be well prepared for is the ability to "prove compliance" with GDPR, rather that relying on simply "being compliant" with GDPR when an investor approaches looking to invest in that company. 

It is not only the increased obligations and potential sanctions within GDPR that apply to data handlers which will be of concern to any would-be investor and the money it invests in a company, but also the negative publicity that goes with the mishandling of personal data.

A data privacy problem for Facebook has very suddenly become a shareholder problem for Facebook.

The revelation that the personal data of in excess of 50 million Facebook customers found itself wrongfully in the hands of Cambridge Analytica, and that it was then misused to influence the US Presidential election and the Brexit campaign in the UK had an immediate effect on the shareholders of Facebook. 

Approximately $50bn was almost immediately wiped off the market value of Facebook. But this might only be the tip of the iceberg for Facebook and its shareholders as it remains to be seen what the knock-on effects of the Cambridge Analytica scandal will be.

Will large advertisers cease to use Facebook for advertising campaigns? The short answer is yes.

  • Commerzbank suspended its advertising on Facebook for the time being;
  • Shortly thereafter Mozilla suspended its advertising on Facebook;
  • Elon Musk's company Tesla deleted its Facebook page;
  • ISBA which is a trade body representing over 3,000 advertisers in the UK has voiced its concerns and demanded meetings with Facebook to get answers.

Whether the discovery that Facebook was aware of the the wrongful mining of its data by Cambridge Analytica since 2015, (but only informed the public in recent weeks of this fact because the New York Times and the Observer were going to break the story) will further damage the market value of Facebook remains to be seen. If nothing else it paints a stark picture of Facecbook's regard (or lack thereof) for its users' personal data.

The US Federal Trade Commission (USFTC) has launched an investigation into Facebook now and Facebook will have to prove it has been compliant with agreements and commitments entered into with the USFTC in 2011 or else face fines and penalties.

It is time for all companies to realise the importance of personal data and the attention that needs to be paid to it. As this piece highlights, companies will need to be able "to prove compliance with GDPR" in future and not just "be compliant".

Leman Consulting and Leman Solicitors provide GDPR audit services and can assist companies seeking to get themselves GDPR ready.