Facebook users globally were left gobsmacked in March as it came to light a developer had improperly secured access to data of “tens of millions” of users on the social network, which saw the information reportedly sold to Cambridge Analytica, the data analysis business. It prompted mass outrage as many, including a co-founder of Facebook-owned WhatsApp, took to Twitter to voice plans to #DeleteFacebook. Meanwhile, days without comment from Mark Zuckerberg only caused further fury.
The scandal comes as data is on everyone’s lips right now with the implementation of General Data Protection Regulation (GDPR) coming into action on Friday May 25 2018, which will require businesses to have watertight approval for usage of people’s personal data. Indeed, without GDPR compliance, companies risk being fined up to 4% of annual global turnover or €20m – whichever is higher. So you can see why data protection is such a hot topic right now. Amidst all of this, what should be going through the minds of startup leaders?
Egil Bergenlind, CEO, DPOrganizer
Reactions to Facebook enabling Cambridge Analytica access to user data without prior consent demonstrates the importance of customer data usage transparency. Regardless of size, organisations must think seriously about data security and privacy practices. The good news is startups are generally in better stead to do something about this, not weighed down by legacy systems. Thankfully, GDPR is the perfect tool to help them avoid the many mistakes made by Facebook.
Mark McClain, CEO, SailPoint
As data breaches increase in frequency and severity, as the true value of personal and company information comes to light, it’s no wonder regulations are holding organisations accountable for cybersecurity efforts – or lack thereof. GDPR brings a new set of ‘digital rights’ for EU citizens, giving them unprecedented control over their personal data. The best place to start is conducting a thorough risk analysis and mapping of data and owners across the infrastructure, then strengthening controls.
Karen Holden, founder, A City Law Firm
Businesses should take active steps to ensure compliance with GDPR. They need to know what data they’ll be storing on their customers, whether they have a lawful basis for collecting and storing such data and for how long they can hold this data. There should be suitable legal and technological infrastructure in place to comply. You must ensure any third party will comply with GDPR and that you have safeguards if they do something wrong – such as indemnities, warranties and insurances.
Tony Pepper, CEO, Egress
This scandal demonstrates even the largest companies can lose control of data. Startups should educate staff on sensitivity of data they handle. Facebook was damaged by a backlash that affected share price, advertising revenues and user numbers. While it’s unlikely a startup would experience ramifications to this extent, GDPR is ushering in an age of greater scrutiny of how all organisations handle and protect data, with consequences for wilfully or accidentally lax practices.