April 3rd 2020 – By Danny Reeves

What can we learn from Facebook falling foul of its data privacy obligations…again?

Originally published in SC Magazine.

Well-managed compliance entails locking down everything contained within your data estate by embedding your policies into the day-to-day processes and ingraining them into your people’s mentality.

Despite announcing it was planning the European launch of its dating app back in the autumn, the social giant Facebook failed to demonstrate it had adequately assessed its data privacy obligations and risks by submitting a Data Protection Impact Assessment (DPIA). Giving just 10 days’ notice, it failed to provide enough advanced warning to the Irish Data Protection Commission (DPC) about its intentions to launch the app.

As a result, Facebook has been forced to place its plans on hold, and now faces a huge financial hit. 

For companies that fail to maintain proper procedure around data governance on an ongoing basis, getting slapped with a fine is the least of their worries. As in Facebook’s case, six months’ worth of work is lost, there’s the lost revenue at delaying the product launch, and then the reputational damage caused by the blatant disregard for data privacy. 

So, what lessons can we learn from this costly mistake?

1. Data regulation is the elephant that’s not leaving the room. 

The introduction of the GDPR was utterly sound and elegantly simple. It boils down to the fact that personal data belongs to consumers, not businesses. So, as holders and processors of data, we need to stick to our data privacy obligations and treat consumer data as we’d want our own treating: knowing what data the company holds and why, honouring the obligation to delete it when it’s no longer needed, or is requested by the customer, and the responsibility not to lose it. What’s becoming clear, both with the fines imposed on BA and Marriott for failing to adequately protect their personal data, and now the Facebook Dating story, is that the Information Commissioner’s Office (ICO) is taking its duty seriously and taking no prisoners. 

What does this mean for businesses? 

Firstly, make data governance easy. 

Ahead of enacting GDPR, most organisations spent time, energy and significant budget getting compliant. It involved multiple spreadsheets, many tick boxes and impossibly complicated policies. 

Now, however, we are operating in a post-GDPR world where data protection is no longer a tick-box exercise. As Elizabeth Denham, the Information Commissioner, said in early 2019, ‘For me, the crucial, crucial change the law brought was around accountability. …[the] next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes.’ 

The onus therefore is to create a simple, memorable set of data protection and governance principles that become ingrained into your culture. 

Secondly, clipboard-based data protection – real or virtual – just isn’t enough. 

Because if you go and ask them, internal teams simply don’t know if they are securing, storing and sending stuff properly. You need to help them to follow policies and do the right thing.

2. The biggest risk of non-compliance is reputational damage

The uncomfortable truth is that despite your best efforts, data breaches can happen to anyone, because a hacker with enough intent can usually find a way to exploit the slightest vulnerability within an IT infrastructure.

When a company falls victim to an attack, it is going to be a painful experience that involves identifying what’s been stolen, notifying the ICO to the breach, and then explaining the situation to the customers. And it doesn’t matter how that news is framed, all they’re going to hear from their customers is: “You lost my data.”

In that moment, no fine imposed by the ICO is going to be enough to balance out the fact that you broke your customer’s trust – they gave you their most precious possession and you failed to protect it.

But I’ve never come across a conspiracy to misuse data. The failure arises because every business is handling so much data. It is the sugary snack of the modern business world – tempting, tasty, and there’s a lot of it.

But while the marketers and developers are trying to get their hands on as much data as they can – in an attempt to do the best job they possibly can – there’s not enough thought given to how to use it responsibly and they can overlook their data privacy obligations. And that’s usually because privacy policies haven’t been ingrained into workplace business-as-usual. Without the right tools and processes in place, people lack the guardrails for how they should deal with data every day.

It’s the role of the DPO within an organisation to ensure that the technology, people and processes are up to the job of maintaining high security standards. Doing this effectively has the positive knock-on effect of mitigating the risks associated with reputational damage.

3. Proper planning prevents poor performance

Ok, so we’ve all heard the saying, but what does ‘proper planning’ look like when it comes to privacy?

For Facebook, the European launch of its dating app is the latest in a long line of investigations into its data privacy obligations. On this occasion, the failure must be attributed to a process failure. The launch was at least six months in the making. Marketing knew this, it had pumped a lot of time, effort and resource into the activity, and yet the information wasn’t passed on internally ready for ‘official’ communication with the regulator. And then failing to provide the DPIA, which forced the DPC to visit in person and forcibly take the information they had repeatedly requested.

It’s an example of privacy not being embedded as part of business-as-usual and merely existing as a document, locked somewhere in a file share, never to see the light of day again.

We see it every day. Companies that have spent time perfecting their privacy policy then protecting their perimeter and believing they’re safe. Well they’re not – far from it in fact.

Well-managed compliance starts with your data. Good data management practice isn’t about just locking the front door, it involves locking down everything contained within your data estate – that’s billions of files across multiple storage devices. This can only be done by embedding your policies into the day-to-day processes and ingraining them into your people’s mentality.

Better compliance starts with one simple change

We may have hit the fourth industrial revolution – the data age – but some things never change. 

With every new wave of innovation, the world gets excited and carried away. Then sometime later, the governments figure out these amazing new innovations have serious consequences that need addressing with regulation. GDPR has started that process in our data-driven age, but more needs to be done. Which is why I believe that there will be more data regulation to come.

There is the promise of a ‘kite-mark’ for companies who can demonstrate compliance with GDPR. This cannot happen soon enough because with this symbol in place, consumers will gain the reassurance that companies they entrust with their data are proactively keeping it safe.