Personal privacy is no longer a "nice to have" but a business and regulatory requirement.
Move fast and break things is the approach that has been attributed to Facebook over the years. That certainly worked – up until 2018. But with the disclosure that Cambridge Analytica had access to private personal information on more than 85 million Facebook users and with the arrival of GDPR, Facebook's failure to protect individual's privacy is under attack.
The social media firm now plans to spend in excess of USD 1 billion to fix the problem. Facebook is not an exception – most businesses are exposed as well. Small business owners and IT executives need to know what their compliance, privacy and security exposures are and act accordingly to bring them to acceptable levels.
Cambridge Analytica, a political analysis firm hired by the Trump 2016 presidential election campaign, gained access to personally identifiable information (PII) on more than 85 million Facebook users. They then used tools to identify the personalities and traits of American voters and used it to influence user behavior with digital ads.
This was not a single failure of data access by Facebook. In June The New York Timesreported Facebook had data-sharing partnerships with mobile device manufacturers Apple, Amazon, BlackBerry, Microsoft, and Samsung as well as the Chinese device manufacturers Huawei, Lenovo, Oppo, and TCL.
The question then becomes what do these firms do with this PII, who do they share it with, and what level of control does Facebook have once the data is no longer in its hands?
In its recently announced quarterly earnings report the company reported slower growth and that they will be spending in excess of USD 1 billion to improve its privacy and security. The stock dropped by 20 percent. Moreover the firm stated that it anticipates the rate of its rising support costs to exceed its revenue growth by next year – not to mention the lawsuits. One can only conclude privacy has an impact on customer loyalty and the costs associated with safeguarding customer PII.
PII Must Be Protected
The Facebook saga is a lesson for all companies and it is complicated by the implementation of the European Union's general data protection regulation (GDPR). Companies effected by GDPR and fail to meet its privacy requirements could be hit with a penalty of up to four percent of annual global revenues. Personal privacy is no longer a "nice to have" but a business and regulatory requirement. And it won't be cheap to implement.
To address the PII requirements companies will need to put plans in place that tackle the following elements:
- Ensuring consent to use data for each process is obtained and documented
- The ability for data classification and mapping so that the firm can truly know where the PII exists, how it is used, and by whom (applications and users)
- Establishment of proper access controls
- Tagging and data life cycle tracking of all PII data
- Logging of PII events (and providing alerts for potential exposures)
- Encryption of all PII data in transit and at rest
- Breach and notification reporting
- The ability to acknowledge the request for and removal of data when consent is withdrawn ("right to be forgotten")
- The ability to know where data has been transferred and control its use
- The establishment of data protection certification for the company and all third-parties that are in possession of PII data obtained by the company
The privacy stakes have risen significantly since the Facebook breaches and GDPR "go live" date and people are now more weary and less trustworthy of corporations.
On the other hand, there is a digital business transformation occurring, which is causing more and more transactions to be done electronically from smartphones and other user-friendly devices. Thus, companies must be able to participate in the digital economy while simultaneously adhering to the privacy requirements as demanded by individuals and governments.
Small business owners and IT executives must create and execute a plan that enables them to be competitive in the digital world while satisfying PII requirements – or alternatively, executives will have to gird themselves for potentially dealing with a materially significant risk exposure.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.