Share This Article:Share on FacebookTweet about this on TwitterShare on LinkedIn

The recent scandal involving Facebook’s data privacy has garnered global media attention and widespread mistrust for the social platform. It all erupted when it was reported that private information from approximately 87 million profiles was used to covertly influence the 2016 U.S. election.

The Story

In 2013, Aleksandr Kogan, a University of Cambridge psychology professor, created a personality quiz app called “thisisyourdigitallife.” The app utilized the Facebook login feature, which granted developers access to profile information. So when approximately 270,000 people downloaded the app, they agreed to share their data with the professor’s company. However, access to the platform’s API allowed the professor to download additional data from friends of those who took the quiz.

The app claimed to operate in accordance with Facebook’s platform policies, with the understanding that any information collected would be used for academic research only. Unfortunately, the private data ended up being used by controversial consulting firm Cambridge Analytica to sway a political campaign.

Data Is Gold 

Before Facebook changed its policies in 2014, plenty of apps used the platform’s data-sharing feature to harvest profile information from unwitting users. Although the collection of data by developers has been restricted, according to The New York Times, “The core functions of Facebook’s open platform tool are still intact. There are still many third-party apps like ‘thisisyourdigitallife’ out there, vacuuming up intimate data about Facebook users. That data doesn’t disappear, and Facebook has no real recourse to stop it from falling into the wrong hands.”

What If…

Hundreds of third-party apps continue piggybacking off social media platforms to track our internet behavior, and there will likely be more stories like this one in the future. The possibility of another breach affecting millions is very real, and with the GDPR deadline only weeks away, consequences for noncompliance could be devastating.

The GDPR

There are three major GDPR violations at play here: consent, privacy by design and timely breach reporting.

The GDPR requires users to give their consent before personal information is harvested, and Facebook’s data policies no longer allow apps like these to “ask for data about a person’s friends unless their friends had also authorized the app.” However, assuming such data has already been collected, additional consent is required for it to be sold.

The consulting firm is responsible for breaching Facebook’s terms, but under the GDPR, Facebook would still be liable for the data it lost. “Even if data is collected in an appropriate way, the controller of that data is responsible and accountable for how it is processed by third parties,” Michael Baxter wrote in an article for GDPR.Report. Companies have an obligation to ensure end-to-end data protection for their users, which means putting measures in place to support privacy by design — the principle that privacy must be built into the core of each product/service and not added in retrospect.

It’s unclear when the internet behemoth actually discovered the breach, but according to The New Yorker, Facebook did send “a polite request to delete the GSR-sourced material.” As polite as the request may have been, it would not have been enough to avoid a huge GDPR fine — which, in Facebook’s case, could have been billions.

What Now?

This should serve as a cautionary tale for businesses everywhere. Ultimately, Facebook was responsible for the data that fell out of its control. The company failed to keep a tight enough grip on user data or track to see if it was being used properly. Now it’s facing multiple lawsuits and an investigation from the Federal Trade Commission (FTC), all resulting in a fall in stock value and many prominent companies and public figures dropping the platform altogether.

The management of company content is now more important than ever, and if this scandal has shown us anything, it’s that the mishandling of personal data can happen to any company of any size. Every company handling personal data is obligated to manage it properly, and all organizations will soon be held accountable by increasingly strict laws. When all is said and done, businesses will need a truly comprehensive solution for what is an ever-increasing issue.

This article originally appeared on Forbes. (Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.)