With the introduction of GDPR just a few weeks away now, the recent news of Facebook’s dodgy dealings with Cambridge Analytica, massive data breach, lengthy delay in confessing all, hauling over the coals by the media, and subsequent dressing down in front of Congress in the US, has some lessons in it that smaller businesses can learn from too.
Customers share their data with you under the assumption you will keep it safe; it’s part of what makes you a trusted advisor, that you have their interests and protection at heart. Added to this, the stringent requirements of GDPR will place the safeguarding of customer data at its heart. And the recent conduct of Facebook and its subsequent fall from grace acts as a timely cautionary tale of what can happen when you don’t.
The fall-out for Facebook came quickly; within days of the breach becoming public, the social media campaign #deletefacebook gained momentum. Then came the battering to its bottom line, with shareholders and investors reacting. As the Cambridge Analytica story broke, the company's stock plummeted, with $100 billion shed off the market value. A host of advertisers suspended their ties with the brand, too.
Many are saying that this catastrophe could have been avoided if GDPR had been in place. What’s certain is, should the Facebook mishap have still occurred in a post-GDPR world, the ramifications would have been costly. Given that Facebook’s annual revenue last year came in at around $40bn, the maximum fine that could be imposed could have been around an eye-watering $1.6bn.
The real risk here, with such a monumental breach of data, is the damage to reputation. Facebook users may eventually forgive, because they want to use the platform, but they are unlikely to forget. The reputational risk to a much smaller business would be much more damaging. Imagine having to issue clients with letters from your practice confessing to a data breach due to lack of safeguarding? It could be a transgression that would damage reputation and cause clients to lose faith and erode their trust. In the worst-case scenario, this damage plus a fine could be irreparable.
In his ashen-faced testimony to Congress this month, Mark Zuckerberg showed that even he recognises that things will have to change under GDPR. “I think the GDPR in general is going to be a very positive step for the internet," he said, as well as discussing his plans to tighten data Facebook policies, protect users from future threats, and be more transparent about advertisers. The tide is turning – although too late for the 87 million people Facebook had to contact to tell them that their data had been compromised.
GDPR may just be the step needed to stop blunders like Facebook’s from becoming more widespread. The European Union is raising both the standards and stakes for keeping data private, with strict rules on the collection, storage, processing and safe disposal of user and client information. Even for firms still feeling confused about what they need to do, there is a plenty of information and guidance out there to make sure you are compliant by next month.
With luck, Facebook’s misfortunes will have been a wake-up call to the wider business community – and as we are all about to enter the era of GDPR, it has been a well-timed though unfortunate reminder. The potential and very real risks of not handling customer data with the respect it deserves is a lesson for everyone.