The headlines have been dominated by the recent news around Facebook, Cambridge Analytica and the misuse of customer data. The impact of these revelations has led to millions being wiped off Facebook’s share price and an ongoing investigation into the incident.
With just two months left until the General Data Protection Regulation (GDPR) comes into effect, this scandal could not be timelier. The ongoing discussions around Facebook’s use of customer data are a clear reminder that businesses still face a number of challenges when it comes to protecting customers’ data.
Facebook under GDPR
Many businesses have grown weary of hearing about the major impact that GDPR will have on their operations – but this is no time to be complacent. Had the Facebook incident taken place after GDPR’s implementation on 25th May, the company would have been liable for a much more sizeable fine, up to 4% of its revenue.
Regardless of how much a company makes, the fines imposed by GDPR are not something to be taken lightly. To avoid the risk of stiff penalties, businesses need to fundamentally change how they manage their data. This not only means eliminating any outdated methods of processing client information, but also adopting new techniques that are in line with the rules set out by GDPR.
Changing data concerns
Historically, businesses have had very few restrictions over how they use information provided by their customers, clients and employees. However, this will no longer be the case once GDPR comes into effect. A number of new protections will apply, such as data subject consent, new encryption processes like pseudonymization, and the introduction of officers specifically tasked with ensuring company data is regulated.
In the past, security or information breaches were the only focus when it came to data compliance, but this will also change post-GDPR. Under these new rules, ignoring issues such as user consent or data transparency will leave companies vulnerable to serious sanctions from the Information Commissioners Office (ICO). As a result, traditional approaches to data security are no longer feasible. Instead, companies will need to have an effective framework to protect their customers’ data – not only today, but also in the future.
Irrespective of a punitive regime or new regulations for corporates, customers have an equal role to play in protection of their own data. They have to make informed choices on potential uses of data, and the perils of a digital footprint. To some extent, it is best to follow the old adage ‘Better to be safe than sorry’ when it comes to widespread data sharing across anonymised technology platforms.
Applying the lessons
With such a short time left until GDPR comes into effect, there are some things that every business should be doing immediately to ensure compliance. First, all of the company’s data needs to be linked up, seamlessly and securely. Fragmented information is the easiest route to non-compliance but can often be the hardest to overcome.
The primary aim of any business meeting GDPR compliance is connecting this fragmented data. While this may not have been a challenge for Facebook, it is still a hurdle that many companies struggle to overcome. However, once data can be consolidated, the business will have a much clearer picture of how compliant it is.
Technology alone won’t be enough though; businesses can employ many different solutions in their pursuit of compliance, but these won’t deliver the best results unless a clear digital strategy is in place. Facebook has shown that even the most data savvy business can fail if it doesn’t respond to issues or inconsistency with its clients’ data. Should this happen under GDPR, many businesses would struggle to rebuild.
The ongoing developments with Facebook will become increasingly important as the date for GDPR draws ever nearer. Compliance requires a careful balance between technology that can provide data transparency and a clear strategy to ensure company data is not vulnerable. Whatever the outcome of the investigation into Facebook, businesses should use the incident as motivation to ensure they are GDPR compliant before the 25th May deadline.