Recently, the U.S. Federal Trade Commission (FTC) is investigating whether Facebook, Inc. used personal data by an analytics firm associated with the Trump campaign. Specifically, the FTC is trying to determine if the company violated terms of an earlier consent decree when 50 million users’ data was transferred to Cambridge Analytica, a data and media consultancy firm. To date, Cambridge Analytica has been accused of misrepresenting the purpose of some of its data mining, which yielded something like 30 million Facebook profiles it could comb for data. This calls into question how consumer information is shared with other entities, particularly when consent was not provided.
Social Media & GDPR
This revelation has called into question how social media sights harvest the personal information from their platforms. As one article pointed out, “Some large-scale data harvesting and social manipulation is okay until the election. Some of it becomes not okay in retrospect.” This is indeed troubling in a time when personal information is constantly used by malicious actors for monetization purposes or used in support of the conduct of other operations (e.g., social engineering, spam, phishing, credential theft, etc.). A recent report by a content marketing agency revealed that Facebook logins can be sold for USD $5.20. Such access provides a criminal to a compromised individual’s contact list to target other individuals. According to the same report, an individual’s entire online identity – to include personal identifiable information and financial accounts – could be sold for USD $1,200.00. After initially denying the claim, Facebook acknowledged the breach and promised to take action.
Breaches and ransomware attacks are more prevalent than ever, and concern for protecting data is mounting on a global scale.
Toward that end, the EU has put forth its General Data Protection Regulation (GDPR), but no legislation can be implemented without having some consequences on the businesses that must comply with the laws. Given that GDPR aims to standardize data privacy laws and mechanisms across industries, there are few sectors that will not be greatly impacted.
Any company that directly or indirectly controls or processes the personally identifiable information (PII) of EU citizens will be affected by GDPR changes. Both terms ‘data controller’ and ‘data processor’ are broadly defined, which means that virtually every company will be impacted by these changes. For small businesses, dealing with these data collection and processing regulations will be overwhelming, if not crippling.
Approved by the EU Parliament in April 2016, the European Union’s (EU) General Data Protection Regulation (GDPR) is set to go into effect in May 2018. The new regulation will be replacing the 1995 Data Protection Directive and is designed to be a new approach in the way organizations will address the processing and protection of data, particularly the personal identifiable information of EU citizens. In addition to streamlining how all EU member states secure information, the GDPR will standardize data privacy laws across the Union. Since the GDPR is a regulation and not a directive like its predecessor, the policy is binding across all EU member states.
The GDPR goes into effect at a time when substantial breaches have dominated the news, particularly in incidents where users – through no fault of their own – had their sensitive personal information put at risk. The breaches at Equifax and the Office of Personnel Management are two examples of this, the former surrendering nearly half of the population of the United States. One of the most notable aspects of the GDPR, as opposed to its predecessor, is that it focuses on individual EU citizen rights, empowering them to have substantial control over how organizations use, process, and store their information. According to the GDPR, among the individual-friendly rights include:
The new GDPR (General Data Protection Regulation- see the full document here ) issued by the EU earlier this year raises many questions among compliance and privacy officers. Who is required to comply with the GDPR and are companies really expected to revamp the entire way they handle customer privacy?