Just because there’s no one fix for GDPR compliance, that doesn’t mean there aren’t solid ways to keep from pulling a Zuckerberg-level cock-up.
Photo credit: Raphaël Labbé from Paris
This week, in London; it was a speech to disappoint anyone hoping to snag a secret recipe to comply with the fast-approaching General Data Protection Regulations, or GDPR – the European Union’s play to shield its citizens’ online information from precisely the kind of parasitic commercial pilfering brought to light by the ongoing Facebook/Cambridge Analytica scandal.
Unleash Conference, Main Stage; it was a frightening but opportune confluence, as Ardi Kolah, director of the GDPR global transition program at Henley Business School, explained to a large section of 500 Talent Acquisition professionals, that with breached-data threatening one of the most powerful players on the web, causing its once-bulletproof stocks to plummet, most organizations won’t be adequately protected when the new laws kick in on May 25th.
To understand this new legislation, “consider the bill’s genesis as a way to regulate the digital marketplace, a codification of best practices, as opposed to protection against malevolent hackers,” says Kolah, “and GDPR will make a lot more sense.”
That said, it’s hard not to conflate fears around what GDPR could do to your business with what Facebook’s going through in the wake of the revelation that consulting firm Cambridge Analytica amassed data from up to 50 million profiles that were used, via Facebook, to sway votes in favor of the 2016 Trump campaign. These actions contravene not only Facebook’s own rules, which forbid third parties from using any user data for commercial means, but had GDPR already been implemented – given that it’s not only applied to EU citizens in Europe, but anywhere they exist in cyberspace – this kind of data scraping, from that many profiles, would more than likely have fallen under its legal purview, and possibly cost Facebook four percent of its annual profits. (Facebook has reportedly lost about as many dollars of stock market value as there were affected users.)
Facebook founder Mark Zuckerberg has denied that the net-quaking profile harvest was any kind of theft at all, and this issue isn’t going to go away soon. But to bring the issue into a more earthbound context, if, say, a medium-sized company has followed Kolah’s advice and retained legal counsel to ensure compliance, what would happen should they experience an involuntary breach?
Kolah maintained that each situation will be unique, but laid out the basics for what an action plan could look like:
- Identify risk in areas of your business or service at high risk of data breach.
- Mitigate the risk by tightening up porous areas which can be carefully monitored.
- Record your efforts to mitigate risk, to increase transparency, and protect your company should a data breach occur.
The biggest takeaway is that training is your first line of defense. Anyone in your company handling data that relates to information of EU citizens protected by GDPR should be schooled in handling this sensitive information appropriately.
“If your company experiences a data breach,” warns Kohla, “you can be sure HR will be paid a visit, and the first thing these government agents will ask for is your training records.”
But, he noted, good faith efforts like training will certainly move the needle in your favor if you find yourself on the wrong side of GDPR:
“I don’t think the EU will be chasing anyone down the street with random punishments. They are much more concerned about people who will deliberately put millions of people’s data at risk without blinking an eye in the name of profit.”
Right now, in every business leader’s head; while no one knows 100 percent how they or their business communities may be affected, for the time being, it’s most important that your business is seen as being trustworthy with sensitive personal information, the kind of trust that Facebook, a harbor for billions of online profiles and thus saleable personal data, is bleeding, profusely, right now.