It’s good to share? Not always…the consumer privacy lesson brought to you by Facebook

by Geoff Andrews, ANZ Regional Director at Ping Identity

Hands up... who was fascinated by the sight of Facebook founder Mark Zuckerberg fronting the US Congress earlier this year to face intense questioning over the social network’s business model and its commitment to privacy?

The hearing came on the heels of the discovery that political consulting firm, Cambridge Analytica, had used Facebook data to profile US voters in the 2016 election campaign which saw Donald Trump swept to power.

While questions centred largely around what Facebook knew of Cambridge Analytica’s data harvesting practices, the proceedings highlighted some major challenges and considerations around data privacy and security – not just for Facebook, but all companies which collect consumer data.

Even if you’re not one of the two billion people who use Facebook, you’d be justified in wanting to know more about how information about you is stored, shared and exploited.

Tough new rules

While the US is yet to impose stringent regulations on how organisations manage data privacy and protection, it’s a different story here in Australia.

Beefed up privacy laws which came into force in February 2018 require businesses to lock down customer data and respond promptly in the event of a suspected breach or face stiff financial penalties.

Further afield, the European Union introduced a General Data Protection Regulation (GDPR) in June 2018 which establishes tight controls over the way organisations handle personal and sensitive information. The regulations cover user-based consent, self-service personal data management, portability and erasure of data and end-to-end security

They apply not just to EU-based companies but to any organisation selling or marketing to EU citizens and residents. Penalties for non-compliance can rise to an eye-watering 20 million Euros.

How to manage data privacy and consent

While regulatory regimes may differ around the world, it’s possible to detect a common thread. There’s increasing acknowledgment of the concept that personal data is ‘owned’ by customers and that the organisations which collect, store and use it are custodians, who have a duty of care to ensure its integrity and security. 

How is that best done in practice? It helps to begin by acknowledging that data about customers – identity data – is unique. While, like other forms of data, it must be stored in a secure repository, it has unique management requirements.

A customer identity directory must be able to store both structured and unstructured data and allow developers to store new types of data, without the need for schema changes. It should be scalable, to the point that it can support millions of identities and billions of attributes and be able to handle authentications during periods of peak usage.

In an era where data breaches and hacking activity are on the rise – and bring with them the potential for significant financial and reputational loss – it should also provide the highest level of security, including protection against insider attack.

It’s also imperative administrators have complete control over the customer attributes individual applications are able to access. Some applications may require the equivalent of a higher ‘security clearance’ while others may be restricted by whether or not customers have provided consent for their attributes to be shared in that instance.

Smarter data governance

Relying on applications themselves to update API requests or to ask only for access to the attributes they are permitted to see is an imperfect and unreliable modus operandi in the digital era.

It’s preferable for applications’ access to data to be controlled via a governance mechanism which allows administrators to restrict access on an attribute-by-attribute level, at the data layer. That way, applications can all use the same API call, but only the data an application is allowed to see will be returned.

Storing customer consent itself as an attribute – a piece of information in the directory – within the directory can make managing access a more straightforward affair than it has been historically. Applications can be configured to enable customers to indicate consent on a case-by-case basis, via a user interface, in the same way in which their email address and other personal details are collected.

It’s about laying the foundation for a data governance regime which gives customers precise control over their data and enforces consent more actively and effectively than an old school privacy policy is able to do.

The front foot approach

Data privacy and consent are no longer mere technical or peripheral issues. They’re on the mainstream news agenda, courtesy of the Facebook case, and likely to stay there.

Companies which implement governance structures and technologies that put into practice the maxim that consumers, not companies, own personal data won’t just reduce their chances of running afoul of regulatory regimes. They’ll also stand a better chance of retaining the trust and loyalty of their customers for the long term.

Tags FacebookCambridge Analytica

Show Comments