You've updated your cookie polices, your privacy notices, contracts & agreements. Brand new process documents are in place. It was quite the fire drill, but you're ready for GDPR. Time for some well deserved rest.
Then you get the call
Hear Tyler Johnson's take on GDPR and the future of Fintech
Credit: BooDigital Here: https://boodigital.com/ https://twitter.com/talksdotcoffee https://www.facebook.com/coffeeshoptalks/
Just last week, I noted that the UK's Information Commissioner’s Office (ICO) closed its investigation into Facebook under GDPR (the EU's new data protection law) sharing personal data with WhatsApp who they acquired in 2014 when Facebook agreed that the Facebook and Whatsapp platforms would not share data.
At the time I noted that this was a great example of GDPR's strategic company risk. Sharing customer data is usually one of the primary reasons for M&A; without it, the value of such transactions is often dramatically reduced. I wonder how many CFOs are accounting for GDPR strategic risk in their M&A strategy. Probably not many.
I just watched Mark Zuckerberg's mea culpa about the Cambridge Analytica breach on CNN. I believe he's "really sorry", there's no question his company is real trouble.
But did the activity carried on by Cambridge Analytica's Facebook user data constitute a security breach? In this case, hackers didn't compromise either FB or Cambridge Analytica, so one would have to argue that no, it wasn't a security breach.
In the US, the laws governing privacy are weak to non existent. We're used to privacy notices being buried; an extensive data brokerage market exists where companies are free to sell your personal data for practically any use, including how much you pay for services, what job interviews you get, what ads you see and so on.
CIO.com: Inside the Shadowy World of Data Brokers
But as Facebook is about to discover, that doesn't mean there isn't legal risk. Lawsuits have already been announced. It's clear Facebook's troubles are just beginning.
For data privacy in the EU, things are quite different. There's no question that Cambridge Analytica's use of is a clear violation of GDPR. Ireland and the UK have already both opened investigations. The fines are likely to be tame since GDPR doesn't go into enforcement until May, but it's a near certainty EU regulators will find other ways to enforce a maximum penalty of 4% of Facebook's $40 Billion (about $1.6 Billion) . This pales in comparison to their brand risk, not to mention the risk the other 3rd parties have retained personal data scraped from Facebook and put (or will put) that information to use.
What's your risk that 3rd parties retained personal data your company gave them?
How may EU citizens are likely to stop using Facebook altogether? To understand this, let's talk about the EU consumer, and the cultural forces driving GDPR.
It's been explained to me that Europeans have a cultural memory of the Nazi "surveillance state" and this is one of the primary reasons why Europeans take data privacy so seriously (EU friends, would love your thoughts below on this) GDPR is notable, not because of the hefty fines, but because it makes control of personal data an individual right.
The Facebook Cambridge Analytica privacy scandal is sure to strengthen this perception because of the Trump campaigns' use of personal data to manipulate voters (Democrats, you're not off the hook either - see this article). This makes the likelihood of GDPR action against US companies much more aggressive than it otherwise would have been.
While Facebook's situation is extreme compared to most US companies at present, most companies collect significant amounts of sensitive personal data, and with that comes significant responsibility, and risk.
GDPR is a major risk for companies with EU customers (or who otherwise handle EU resident data), but as the Facebook situation clearly demonstrates, it's not just regulatory risk and it's not just in the EU.
On one hand, we need this data to do a better job creating products and experiences customers want. On the other hand, handing such data in a consistent secure manner company wide is very difficult, especially when that data lives in many places and with 3rd parties. Companies that engage in M&A activity are especially at risk because their personal data is often fragmented across hundreds (or even thousands) of data silos.
Compliance with GDPR is a good start. If Facebook had automated data governance in place that fully complied with GDPR (including controls for 3rd party access like Cambridge Analytica) , their risk would have been much lower. If you'd like to know more about data governance automation for GDPR, look here.
It was the fall of 2014 and we were finally ready. Nearly 10 years after getting my MBA in Entrepreneurship from Southern Methodist University in Dallas, we had finally built up enough savings and it was time to leave the corporate world to embark on the new, uncertain path to building a new company.
While Amazon, Facebook, Google and other “digital native” companies rapidly launch new products and services with a modular, automated, standardized approach (Devops/Agile), traditional companies increasingly struggle to compete because they can’t take advantage of actionable data being held hostage by traditional and SaaS software vendors, legacy systems, and business silos.
At over 4000 words, Jeff Bezos' 2016 letter to Amazon shareholders (posted last week) has a lot to say. While I highly recommend tech executives and investors read the entire thing, here are my top ten excerpts from the letter: