Well, you know where this is going. Facebook is under fire this week for allowing a third-party developer to harvest far more user data than they were supposed to - data from over 50 million users without their permission or consent. There are a lot of angles to this story, and a lot of finger-pointing about who did what and how things should have been handled. Although the facts are still being sorted out, this is serious business. As I’m writing this, the market value of Facebook has plummeted $50BB since the news broke. The company is now embroiled in a public relations nightmare including calls for congressional testimony which will result in a dark cloud hanging over the stock for months to come.
The wake-up call is because Facebook is not about a data breach in the conventional sense of a bad actor gaining unauthorized access to a server or grabbing data in transit. Facebook is about the inherent vulnerabilities of social network platforms where value creation is directly proportional to the amount of personal data provided by members of a community who assume that active involvement in the community will not compromise personal and financial security.
Whether or not your business is a social platform, your customers and employees are likely members of a social platform such as Facebook, and because of the strong potential for misuse of consumer data, your customers and employees are now wondering if they can have faith that the data they provide you will stay in safe hands.
Keeping data in safe hands is something that the European Union has been paying a lot of attention to along with empowering the consumer to determine whether your company is allowed to keep data on your customers. You have likely heard about the E U General Data Protection Regulation (GDPR), which gives control of personal data back to the individual. This goes into effect on May 25, 2018. One of the rules of the GDPR that makes it such a game-changer is that companies that collect consumer data must demonstrate that the purpose of owning that data is justified. This means that while Facebook, Twitter, and similar players can still allow you to share and like things, they will not be allowed to keep (and certainly not sell) your data. Any company such as yours that does business in Europe that results in retention of customer or employee personal data must comply with the GDPR or face fines up to 4% of global revenue or €20 million, whichever is higher.
For all the hype around GPDR, the need for stricter data privacy regulations, and the individual’s right to know when, where, and how their data is being managed, many businesses appear to be taking a leisurely approach to the issue. The Facebook debacle reminds us that data privacy and compliance is not a “nice to have.” We have a “must have” approach to addressing this immediate challenge that every large company must confront in 2018. Understanding your data privacy vulnerabilities is all about having a complete understanding of your IT portfolio and the plumbing that allows data to flow between business units. Visibility into your IT portfolio, the information architecture and the supporting processes that define your business ecosystem will be necessary to successfully run a business going forward. Our approach to GDPR compliance is based on the premise that the technology that pushes data through your pipes is integral to your business processes.