Cambridge Analytica: a data governance lesson beyond platforms

The Cambridge Analytica story broke into public consciousness in March 2018. The company had obtained data on tens of millions of Facebook users without their explicit consent and used it for political profiling. Facebook's market capitalisation fell, Zuckerberg testified before Congress, and the entire world suddenly started talking about what actually happens to people's data.

Most commentary was directed at Facebook and platforms. That is understandable - the scale there is enormous. But I think there is a different, more practical lesson here for executives of ordinary companies.

What happened from a data perspective

Cambridge Analytica did not hack Facebook. It used a legitimate mechanism - an application that users authorised themselves. The problem was that this mechanism allowed collecting data not only from the authorising user but also from their friends - who knew nothing about it and had agreed to nothing.

From a technical standpoint, it operated within the platform's rules. From the standpoint of people's expectations - it was a breach. That gap is exactly what created the crisis.

The question "what is technically permitted" and the question "what do people who provided the data expect" are different questions. Companies that do not understand this risk ending up in a similar situation.

Why this matters beyond platforms

An ordinary company - a retail business, a service company, a B2B player - collects data about customers every day. Email addresses, purchase history, website behaviour, survey results. It sometimes passes this to contractors - advertising agencies, analytics platforms, email marketing services.

Questions worth asking:

• Do customers know what actually happens to their data?
• Do contracts with contractors include requirements for handling that data?
• Who in the company is responsible for ensuring those requirements are met?
• What happens to the data when a contractor engagement ends?

These are not rhetorical questions. These are specific gaps I find in almost every mid-sized company.

Data governance as an operational function

The Cambridge Analytica story showed that data governance is not only a legal and technical matter. It is a question of how a company thinks about its responsibility toward the people whose data it uses.

In practice this means several things:

First, knowing where the data is. This is the same inventory that GDPR talks about - but the motivation here is not only regulatory.

Second, knowing who has access to it - inside the company and outside. Not "we roughly understand", but a specific list.

Third, having a process for responding to a situation when something has gone wrong. Not "we will figure it out when it happens", but a thought-through plan.

What changed after this story

In the coming months, regulatory pressure on personal data handling will only increase - and not only because of GDPR. Cambridge Analytica changed the social climate around the data topic. People started asking more questions and trusting by default less.

For business this means that transparency in data handling is ceasing to be a competitive advantage and becoming a baseline expectation. Companies that build this practice now will be in a better position - not because they avoided fines, but because they preserved trust.