Stronachs Logo

Clive Humby, the engineer of Tesco’s Clubcard, was widely credited as the first to use the phrase: “Data is the new oil.” Since this statement 12 years ago, many organisations have been mining, collecting and analysing data to spot patterns or trends to help tailor products and services for their clients with considerable implications for the use and potential misuse of this valuable commodity.

However, this week it has been alleged that personal data collected by Facebook was used by Cambridge Analytica, a data analytics firm, for the purpose of electoral manipulation in the 2016 US presidential contest. The personal data in question was apparently garnered from a quiz on Facebook in which users were asked questions to find out their personality type. It is alleged that 270,000 people consented to the quiz which allowed the designers of the quiz to harvest the personal data of their friend network giving them access to the personal data of 50 million users who had not consented to this being used for this purpose.

This data was subsequently sold to Cambridge Analytica who analysed it and used it to profile users. The data allowed them to formulate strategies for Trump’s campaign based on what individuals had “liked” and identify any swing voters who were targeted with appropriately tailored pro-Trump messages. In the wake of these revelation Facebook has had more than £50 billion wiped off its value as investors reacted in horror to what may be seen as a significant breach, not just of formal legal obligations, but of trust as between user and service provider. UK MP’s have even written to Mark Zuckerberg demanding that he appear in Westminster to face questions about Facebook’s role in the Cambridge Analytica scandal.

The Information Commissioners Office (ICO) who are the UK’s independent authority set up to uphold information rights in the public interest, have been quick to condemn both companies and their involvement in the mis-management of users’ data.  The ICO are also seeking a warrant to inspect Cambridge Analytica’s databases and records as part of an ongoing investigation into the use of personal data in political campaigns.

What is the law doing to help stop companies using individuals’ personal’s data in ways in which they would not expect? In Europe there will be a significant overhaul of data protection laws with the introduction of the General Data Protection Regulation (GDPR) on the 25th of May which will significantly change how personal data requires to be handled. 

What should Employers and their HR Teams be doing now?

As one of the main handlers of personal data in an organisation, ahead of the introduction of the GDPR, HR teams should be:

1. Understanding the requirements of the GDPR – HR teams will now have to put data protection at the forefront of their minds. They will also need to understand what the GDPR entails, for a brief overview please read our previous Insight.

2. Conduct a data audit - conducting an audit will help an HR team find where their data is stored, how they collected it and what they proposed to do with it. The audit should include data on employees, workers, job applicants and any other individuals within the HR area of responsibility, such as contractors, volunteers, interns and former employees and should also include any data sent to third parties such as pay-roll providers.

3. Start mapping your data - the ICO have produced a spreadsheet to assist with this. Mapping your data will help prove to the ICO that you have documented where your data is and will allow you to document and log the legal bases that you are relying on for processing data.

4. Establish if there are any gaps in compliance with the GDPR – following the mapping of the data you will be able to see if there any areas of the GDPR which you do not currently comply with and will need to rectify before 25 May.

5. Ensure that contracts with third parties are reviewed – the GDPR fundamentally changes the obligations and liabilities between controllers and processors. Controller-processor contracts must now include certain specific terms as a mandatory minimum, it is worth noting that there will not be a grace period, therefore HR teams should ensure that all contracts with processors are reviewed and GDPR compliant ahead of the 25th of May.

6. Develop new privacy policies and notices – as well as updating previous policies, you may need to develop new policies as a result of the audit for example, a breach reporting or data retention policy and comply with the “right to be informed” by way of the preparation and issue of  privacy notices to data subjects.

7. Train staff and make them aware of the new policies - you will want to make staff aware of any new policies that have been introduced or updated. Regular reviews and training of staff will help keep HR teams compliant and up to speed on any developments.

With the fines for non-compliance being up to either 4% of annual turnover or €20 million, HR teams will want to make sure their policies and procedures are GDPR compliant and in place ahead of May 25th.

If you have any queries about any of the issues raised above please do not hesitate to contact a member of the Stronachs Employment Team.

Ross Michie, Trainee Solicitor

Chambers Leading Firm 2020 bw

Contact Info

28 Albyn Place, Aberdeen AB10 1YL
Tel: +44 1224 845845


Camas House, Fairways Business Park,
Inverness IV2 6AA
Tel: + 44 1463 713225

Legal 500uk leading firm 2020