Ai Editorial: As trust around “personal data” wanes, hopes hinge on a stringent regulation

First Published on 21st March, 2018

The uproar about the reported “data breach”, featuring Facebook and Cambridge Analytica, a political data analytics entity, has raised concerns around the handling of “personal data”, writes Ai’s Ritesh Gupta  

 

Trust around the way personal data is being managed has taken a beating over the few days, post reports about how data featuring “Facebook users” was used for targeting of political ads mainly to aid then-U.S. presidential contender Donald Trump to forecast and tilt choices in one’s favour at the ballot box. According to a report by Reuters, Scott Vernick, a partner and an expert in privacy and data security at the Philadelphia law firm Fox Rothschild, said that Facebook “lost control of the data and wasn’t adequately monitoring what third-parties were doing”. Facebook stated that people knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked. Even though Facebook has defended their position, the impact of GDPR or General Data Protection Regulation on organizations of Facebook’s stature as well as the way personal data is collected and managed is coming to the fore. This regulation places greater emphasis on consumer consent and transparency in the collection and use of personal data.  

As we highlighted in one of our recent articles, travel e-commerce companies have been assessing their existing level of data protection compliance, as GDPR comes into force on 25th May this year.

Data being illegally acquired and used

The impact of this regulation would be extensive, as it applies not just to entities based in Europe, but to any organization that holds or processes personal data of individuals residing within the European Union (EU).

The fact that the ICO (Information Commissioner Office), the UK’s independent body set up to uphold information rights, is looking at investigating the use of personal data for political campaigns (with reference to the acquisition and use of Facebook data by Strategic Communication Laboratories, psychology professor at the University of Cambridge named Dr. Aleksandr Kogan and Cambridge Analytica), shows the organizations need to ensure that they don’t get embroiled in any controversy pertaining to data being illegally acquired and used. Elizabeth Denham, Information Commissioner stated that it is important that the “public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy”.

Considering that businesses have to keep a vigil on possible criminal and civil enforcement actions owing to any irregularity, it is better to gear up for a regulation like GDPR in an earnest manner. So it would be better to study budgetary, IT, personnel, governance and communications implications of GDPR at this juncture. This would mean businesses not only defend themselves against any potential fine or penalty, but they also ensure the trust of their customers doesn’t get broken.

Time to embrace accountability

There is a checklist for data controllers and data processors.   

Certain companies are going to process personal information as both a controller and a processor. So in such cases it is recommended that they complete the required assessments, both for a controller as well as a processor.

According to the ICO, organizations might as well get into the details of the new regulation, and how the same would potentially affect their business model and accordingly work on the planning process.

Some of the areas that travel e-commerce companies can dwell on are:

·          Senior management needs to be aware that the law is changing to the GDPR and by preparing in a diligent manner it could help them to be accountable possibly for other regions, too.

·          Be in control of what personal data an organization holds, the source and if it is going to be disclosed to other parties/ partners, who they are.

·          Clarify and account for basis for processing the data, and the period for which the same is going to be retained.

·          Be aware of an individual’s rights. According to the ICO, in case of the GDPR, rights for individuals include the right to be informed; the right of access; the right to rectification; the right to restrict processing etc.

·          Be ready to effectively detect, report and investigate a personal data breach.

Before organizations commit any error, knowingly or unknowingly, better would be to dig deeper into the way personal data is being collected, the source, the processing etc. to ensure they are in control of the situation. And a regulation such as GDPR could well prove to be a new benchmark in areas such as training employees about the new regulations and impacts on data handling and breach notification.  GDPR has come at a stage when there is a lack of trust among customers (concerns about privacy, lack of trust in brands among the most etc.). It is also expected to raise awareness among customers about data collection and eventually would encourage them to trust brands.

  

Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here

                        

For Ai’s 2018 Events, check - www.aieventdates.com

Follow Ai on Twitter: @Ai_Connects_Us