Julian Saunders, CEO and founder of personal data governance company PORT.im, discusses how alleged breaches of GDPR by Facebook and Twitter may just be the beginning
Cast your mind back to early 2018. The world was alive with the sound of GDPR commentary. In the run-up to the May compliance deadline, everything was up for debate. Would it spell the end of marketing as we know it? Was anyone actually compliant? Was it good news or bad news for businesses? And, getting the most airtime – would GDPR be a damp squib like the Cookie Directive?
If you were of the opinion GDPR was a lot of hot air, the intervening months may feel like vindication. GDPR has largely gone off the agenda of most media publications and with it the minds of many business owners. However, we’re merely in the eye of the storm. In the last few weeks Facebook, and now Twitter, have been squarely in the crosshairs of regulators for allegedly failing to comply with GDPR. The EU has issued a stark warning that big fines will be handed down before the end of the year. Similarly, the ICO has ramped up its warnings that major action is likely to be taken. Added to this momentum has been a seemingly endless series of high-profile data breaches with Google+ the latest casualty.
For business owners who put their GDPR compliance on the backburner since May, the warnings could not be clearer: If you aren’t GDPR compliant you’re likely to be in some serious trouble in the next few months.
Facebook has quickly become the poster boy for poor data governance procedures. Cambridge Analytica, data breaches, and GDPR failures have all come in quick succession and provide a case study for businesses on how not to collect and manage data. While it may be tempting to revel in some schadenfreude, a better approach is to see what every business can learn from Facebook and how they can protect themselves from the expected GDPR storm.
First, it should go without saying that financial organisations hold some of the most sensitive personal data. Thankfully, the most important data linked to account information has largely been well protected. However, having high security standards around bank accounts can breed complacency especially when you consider it’s not the only information the average financial company holds. The marketing, customer service and sales departments will all, usually, have their own customer databases which may be subject to vastly different security and governance standards. A breach related to any of this data could be fatal to a financial organisation and result in hefty GDPR fines.
General complacency is kryptonite for data management and protection. For Facebook, its complacency manifested itself in lax standards, questionable practices and a belief it would never be brought to account. For financial organisations, it can lead to blind spots related to data that is deemed less ‘sensitive’. Often, to enable smooth marketing, client management and sales operations, customer data is more readily accessible than financial information, shared with more parties, updated more frequently and inputted into more platforms. Each of these processes increases risk. Compounding this issue is a general lack of education related to the power of this data to do harm. Many would ask, what use is an email address to a hacker? The short answer is, a lot. This is why GDPR seeks to protect every piece of personal data.
If you’ve got to this point in this article and you’re beginning to feel some doubt surrounding your data practices – good. Now is the perfect time to audit and review all your data processes and security standards. The baseline should be – is everything GDPR compliant? If it was in May – is it still compliant? New technology, teams and initiatives can all impact your data processes and result in non-compliance.
If you avoided all of this in the faint hope that GDPR wasn’t going to be an issue, you need to get on it immediately. In this instance, buying in technology and availing yourself of the services of specialist consultants will be the fastest (but not the cheapest) option.
Next, what is the general understanding of your staff? All the procedures and technological safeguards will mean nothing if your colleagues do not understand what GDPR is and the danger of data breaches. Undertaking company-wide training regularly and incorporating data management expertise and ethics into staff development and assessment can be a powerful way to measure and improve education.
Finally, if the worst happens and there’s a breach – are you prepared? Time and again we see that a poorly handled response to the data breach generally do more damage than the breach itself. Again – I’ll point to Facebook and its slow, incomplete and unsatisfactory responses to each and every data issue it has encountered.
Slow responses are symptomatic of a failure to have the right procedures in place. This can be because there is no technology or expertise available to identify the breach in the first instance or the right people are not empowered to make quick decisions. You need to start from the position that any breach, no matter how minor it appears, is serious. It should be reported to a specialist team led by the CEO. Within that team should be the IT lead, marketing, customer service and legal. Consumers should be informed as quickly as possible, both to be GDPR compliant, and to reassure. The business needs to identify who is impacted, how, what went wrong, how it can be fixed and how consumers will be protected in the future. The faster these boxes are ticked and communicated the better the end result – especially if the ICO gets involved. As with anything, practice makes perfect. Conducting wargames and drawing up ideal responses and contingencies with this team could make all the difference.
We now live in a world where the reputation and future of a company can be destroyed by hacks and data breaches. Organisations are generally to blame for this environment. There has long been a culture that personal data is a commodity that businesses can deal with as they wish. Now the wheel has turned. If you’re one of the many business owners that still believe that data governance is just something for the IT department to worry about – you’re going to be in for a big surprise. By the end of the year, a number of large businesses will be hit with near-fatal fines as a warning to other companies. Acting now will ensure that your company is not one of these cautionary tales.