The (GDPR) phantom menace
GDPR will force us in some way to realise that business reputation and respect for customers are really basic ingredients for success ...
I am convinced that many of us have followed with interest the situation recently generated by revealing the use of personal data provided by Facebook to Cambridge Analytica.
Perhaps many have been surprised by seeing how far they went and what impact these data may have when used for purposes that are not quite clean. My opinion is that we should not be surprised, this has been done for many years, long before Facebook (or other social networks) were part of our existence. The electorate and consumers have always been influenced (I do not intend to use the word “manipulate”), modern technology only makes it possible to apply faster and more efficiently the influence techniques.
Maybe many feel the need to take Facebook’s defence for being affected by this scandal. To be honest with you, I do not feel that need. I do not want you to misunderstand me, I admire Facebook for its ability to innovate, for how it managed to become a part of our daily existence, how advanced they are from the technological point of view and many more. But let’s be honest !!!! Do you really think they did not know what was going on? Especially because there are not things that happened yesterday and surprise!!!, today they appeared in the press.
Personally, I do not think Zuckerberg arrived home one night, tired of work, found the Cambridge Analytica guys in his living room, scraping his drawers, and asked them “What are you doing here?” ? Well, we work honest boss!!! Good guys, keep up the good work, I do not look at you!!!
I do not believe in the theory of conspiracy, but all this situation sounds like a controlled scenario. First of all, Facebook did not violate any law by providing that data, and Cambridge Analytica did not violate any laws by taking the data from Facebook. I can not say anything about the legality of using the data by Cambridge Analytica, but that’s not the purpose of the article.
Secondly, I wonder what would have happened if the situation had come to light after GDPR’s entry into force? Would the decrease in Facebook capitalisation be only $ 50 billion? Would not it also have taken a fine (between 2% -4% of the global turnover)? Certainly it would have been went to court for years with the EC for the fine, but the situation would have affected more the performance on the Facebook shares. Or they would have paid the fine immediately to close the subject … but that would mean to acknowledge that they were wrong and it would have been bad for them also. After the entry into force of GDPR, Zuckerberg would have been willing to put ashes in his head saying “We have a responsibility to protect your data, and if we can not then we do not deserve to serve you.” Or would he have said with as much conviction that social networking would need more stringent regulation? My opinion is that none of this would have happened if the scandal had occurred after the entry into force of the GDPR.
So my main conclusion is that Facebook is not at all in a crisis, as many have rushed to say. On the contrary, I think Facebook succeeded to professionally manage a possible crisis that would have affected it much worse and for longer term. Sure, they lost $ 50 billion on the stock market, it was normal for the stock exchange to react in this way. But let’s be honest !!! It’s not like someone would have taken $ 50 billion of their pocket money these days. It’s a consistent but not irretrievable loss, especially as Zuckerberg has recently announced a change in vision for Facebook future, which is likely to soon lead to a rising stock market reaction.
My secondary conclusion is that Facebook has acted to a ghost menace… the GDPR ghost. Companies with the same occupation as Cambridge Analytica are operational all over the world. Techniques are known by everyone as well as the sources of data. I do not think we can be so naive believing that the only ones who had the brilliant idea of using Facebook data were Cambridge Analytica, especially as I repeat, Facebook did not violate any law providing this data and Cambridge Analytica did not violated any laws by downloading this data from Facebook. The only difference between Cambridge Analytica and other companies with similar activity in other parts of the world is that the company in question comes from a state (still) EU member where the GDPR will come into force in late May 2018.
Should we be afraid of the GDPR ghost?
Let’s clear why I’ve talked about the GDPR ghost. First of all, the ghost thing is my personal opinion, I do not have the claim to be accepted. Secondly, we all feel and know it comes (no longer than 2 months until it enters into force). Thirdly, it has many uncertainties as to how to apply it (let’s say the truth, most people worry about when, who and how can bring trouble in they yard, that is a control from the responsible authority) as well as regarding what and how can be considered as personal data (beyond explicit mentions, there is that vague expression, namely “all that can identify a person”). And last but not least, I think that some of the many consultants and pseudo-consultants who have appeared in the market since the GDPR’s “blunder” made an important contribution to the “demonisation” of GDPR.
I strongly believe that we must not be afraid. I think GDPR is coming to regulate something that had to be regulated for a long time and the main purpose of the regulation is to prevent Facebook-Cambridge Analytica cases.
(until new and more subtle ways to use personal data will be found, because you must have no doubt that it will happen!) here we talk about the ancestral “conflict” between those who regulate a domain and those who do business in that area and often act on the principle that “what is not explicitly prohibited by law means that it is permitted”).
Certainly all radars will be pointed to the big ones, they are the first target. But let’s not have any worries about them, good lawyers exist all over the world, and I do not think that the big ones have any problem in paying good lawyers. It would not be a good idea to believe that if we are not part of the big ones, we’ll go under the radar. I have also heard of cases where some firms are already budgeting to put aside for fines … even that does not seem to be a good idea for GDPR.
I also believe that GDPR will force us in some way to realise that business reputation and respect for customers are really basic ingredients for success (either just thinking that a fine on GDPR can make us forget that we have ever had a business!!!).
I also believe that the strict enforcement of the regulation can also lead to abuses. I think it’s a good thing that potential complainants are not co-interested in a percentage of the fines, but that does not rule out the possibility that after a company has received a fine for non-compliance with GDPR, it will not be sued by angry people that suddenly feel harmed and wish to claim damages. Let us remember the famous VW case related to the emissions scandal in which the manufacturer paid both the fine imposed by the authorities and punctual compensations to some of the car owners who, like that!!, after years of happy driving, were awake that they were harmed.
Last but not least, I think the regulation will undergo changes both in the way it will be applied and in those data that are considered personal data. But until then, the regulation is the way it is, as such it will come into force and we have to comply with this form.
My conclusion is that we must not be afraid of this ghost and that we can bring it relatively easily into reality and we can keep it under control.
How do we bring the ghost into reality?
Well, the first method would be to do nothing and wait … anyway it will come at the end of May 2018, whether we want it or whether we do not want it, it will become reality !!! The second method would be to call Ghostbusters … we have both the masculine and feminine versions … but I’m afraid their methods are valid only in movies !!!
The third method (the one I recommend with warmth) is to realise that GDPR compliance must be part of the basic hygiene of our business. We need to realise that it is necessary to respect our clients and that it is necessary to know who and how their data is used in our own yard … and to keep our yard clean. If we are aware of this, implementing the GDPR provisions will no longer be a burden.
Be aware that you are not yet there. It’s like at the subway (not the one from Bucharest) … be sure that there is an empty space between the edge of the platform and the subway car and not get upset when you are being told to pay attention to this empty space.
If you do not have internal resources, call those who can really help you. I think it’s over with the time of pure GDPR consulting. Ask those who can help you to cut the talks, presentations and workshops, and get involved side by side with you to put into practice what is needed. Analyse or request that your processes, data, information flows and roles involved in data processing to be analysed. Implement or ask those who will assist you to implement methods and tools that can centralise and analyse how data was accessed and that can alert you when data access was inappropriate. There is nothing hard and nothing to scare. If you can not do it with your own powers, trust your fellows GDPR professionals. Fortunately, there are many professionals who can help you.
Copyright © PMC, All Rights Reserved