Facebook: A Cautionary Tale in Data Protection

Just last week, I noted that the UK's Information Commissioner’s Office (ICO) closed its investigation into Facebook under GDPR (the EU's new data protection law) sharing personal data with WhatsApp who they acquired in  2014 when Facebook agreed that the Facebook and Whatsapp platforms would not share data. 

At the time I noted that this was a great example of GDPR's strategic company risk.  Sharing customer data is usually one of the primary reasons for M&A; without it, the value of such transactions is often dramatically reduced. I wonder how many CFOs are accounting for GDPR strategic risk in their M&A strategy. Probably not many.

Wow that was quick - It just got much worse for Facebook

I just watched Mark Zuckerberg's mea culpa about the Cambridge Analytica breach on CNN.  I believe he's "really sorry", there's no question his company is real trouble.

But did the activity carried on by Cambridge Analytica's Facebook user data constitute a security breach? In this case, hackers didn't compromise either FB or Cambridge Analytica, so one would have to argue that no, it wasn't a security breach.

A new concept (for some):  PRIVACY BREACH

In the US, the laws governing privacy are weak to non existent.  We're used to privacy notices being buried; an extensive data brokerage market exists where companies are free to sell your personal data for practically any use, including how much you pay for services, what job interviews you get, what ads you see and so on.  Inside the Shadowy World of Data Brokers

But as Facebook is about to discover, that doesn't mean there isn't legal risk.  Lawsuits have already been announced. It's clear Facebook's troubles are just beginning.

For data privacy in the EU, things are quite different. There's no question that Cambridge Analytica's use of is a clear violation of GDPR.  Ireland and the UK have already both opened investigations.   The fines are likely to be tame since GDPR doesn't go into enforcement until May, but it's a near certainty EU regulators will find other ways to enforce a maximum penalty of 4% of Facebook's $40 Billion (about $1.6 Billion) . This pales in comparison to their brand risk, not to mention the risk the other 3rd parties have retained personal data scraped from Facebook and put (or will put) that information to use.

What's your risk that 3rd parties retained personal data your company gave them?

  How may EU citizens are likely to stop using Facebook altogether?  To understand this, let's talk about the EU consumer, and the cultural forces driving GDPR.

For many in the EU data privacy = Freedom

It's been explained to me that Europeans have a cultural memory of the Nazi "surveillance state"  and this is one of the primary reasons why Europeans take data privacy so seriously (EU friends, would love your thoughts below on this)  GDPR is notable, not because of the hefty fines, but because it makes control of personal data an individual right. 

The Facebook Cambridge Analytica privacy scandal is sure to strengthen this perception because of the Trump campaigns' use of personal data to manipulate voters (Democrats, you're not off the hook either - see this article). This makes the likelihood of GDPR action against US companies much more aggressive than it otherwise would have been. 

What can the US companies learn from the Facebook scandal?

While Facebook's situation is extreme compared to most US companies at present,  most companies collect significant amounts of sensitive personal data, and with that comes significant responsibility, and risk. 

GDPR is a major risk for companies with EU customers (or who otherwise handle EU resident data), but as the Facebook situation clearly demonstrates,  it's not just regulatory risk and it's not just in the EU. 

On one hand, we need this data to do a better job creating products and experiences customers want.  On the other hand, handing such data in a consistent secure manner company wide is very difficult, especially when that data lives in many places and with 3rd parties. Companies that engage in M&A activity are especially at risk because their personal data is often fragmented across hundreds (or even thousands) of data silos.

Compliance with GDPR is a good start.  If Facebook had automated data governance in place that fully complied with GDPR (including controls for 3rd party access like Cambridge Analytica) , their risk would have been much lower.   If you'd like to know more about data governance automation for GDPR, look here.