The UK privacy watchdog – the Information Commissioner's Office (ICO) – plans to fine Facebook £500,000 for its part in the Cambridge Analytica scandal. As the breach took place before the EU GDPR came into effect, this is the largest possible penalty. But if the scandal had hit today, the ICO could have fined Facebook four per cent of global turnover - that’s £1.6 billion.
Given the social media giant makes £500,000 in less than five minutes, the fine itself will barely put a dent in the company’s balance sheet. But as it’s the maximum possible, it serves as a stark warning to protect individual privacy.
As individuals, we’re now so dependent on digital technology that we would barely function without it. We work online, we interact online, we pay our bills online, we watch TV online, we communicate online and we learn online. We’re all going Total Digital.
And this means we’re sharing more of our personal data through an ever-growing online ecosystem. This creates an opportunity to grow revenues and profits by putting digital at the heart of everything you do. But to truly benefit, the core of such digital transformations must be increased transparency, fairness and integrity - organisations have to put privacy at the fore when evolving.
Of course, privacy regulators will continue to work to protect our personal data. The ICO has already expanded its investigations since the Cambridge Analytica scandal, issuing warnings to 11 political parties and compelling them to agree to audits of their data protection practices. Other countries and authorities are also developing data protection regulations with strong penalties for non-compliance, including Israel, Qatar, California and India. And many more are likely to follow.
But privacy isn’t just about following regulations – by being proactive, organisations can see benefits like improved customer engagement and better brand reputation. Having transformed data privacy for organisations around the world, we know there are five essential steps to take when building a privacy programme:
One of the main aims of any business is to maximise the value of data without jeopardising security. While organisation should embed privacy in all data used, many have limited resources and must prioritise which data is most important to them. This doesn’t mean they shouldn’t follow basic security and privacy principles for all data, rather they should give more controls and considerations to the core data. To do this, they need to understand the potential of all data without compromising or misusing it. We’ve developed a privacy assessment tool that helps organisations improve their protection of data and maximise the return on investment.
Without setting up robust governance, your privacy programme is unlikely to succeed. Buy-in from stakeholders across the organisation is vital to ensure data is correctly safeguarded, transferred and used. Organisations can get this support through awareness-raising activities and training.
All data should have an owner who has sole responsibility for it. Assigning data owners, stewards and custodians is a first step to guaranteeing that people accept responsibility for data and manage it appropriately. Running regular reviews of data management processes and optimising and rationalising the data will also ensure responsibility for data is correctly distributed and accepted.
Organisations must create a data classification framework that highlights sensitive data. Involving people from across the business in this process will be critical. Organisations must also ask relevant people precise questions (like asking marketing what data they use most) and establish roles and responsibilities for managing personal data to create a sustainable data management strategy.
Running privacy gap and security impact assessments will help organisations understand the threats they face, letting them prioritise privacy investments and solutions. Adopting leading privacy standards like ISO/PC 317 Consumer Goods: Privacy by Design, or following security best practices like NIST Standard Framework, will show what controls to use to reduce privacy and security risks. But organisations might need further controls to tackle their unique threats, and they may need a tailored security strategy.
It’s important to regularly re-evaluate what data matters the most, the value of investing in data technology and how people manage data. Reporting results to the business, honing processes and regularly adjusting the privacy and security culture within an organisation will help everyone stay engaged.
By prioritising privacy, organisations can get far greater benefits than just regulatory compliance. A robust data privacy strategy reduces risks, grows customer trust and can save money in the long term. This will lead to greater profits, a more engaged audience and an opportunity to lead the business into the future.
So remember, focusing on individual privacy will be the key to your ongoing digital success.