If Facebook had been GDPR compliant would things have been different?
For almost a decade, most of us using Facebook have trusted it with our personal data. We shared pictures, locations of fun places we visited, friends --old and new -- with whom we connected, 'liked' activities, and much more.
And we did this not knowing our personal information was being used in ways beyond anyone's comprehension. As we watch the Facebook story unfold, we may wonder whether this crisis could have been avoided had personal data privacy and governance been better handled. Such initiatives could be complex and expensive for any company, but is it fair to say there are no shortcuts to this approach? How prepared is any company that relies on personal data?
That said, Facebook has opened up considerably in the last few weeks by giving new controls to its users. Let's acknowledge it's not easy for complex organizations like Facebook to implement these changes. Facebook has even created a new page explaining how GDPR impacts their business, advertising, consent management, and more. Despite Facebook giving data privacy controls to its users, it remains to be seen whether the company is GDPR-compliant. We will find out only after May 25. Regardless, the question is, could this have been avoided? And if so, how? The answer is not an easy one. For a start, Facebook must now move personal data pertaining to 1.5 billion+ users who aren't EU citizens out of the data governance and processing framework of Facebook Ireland into that of Facebook USA. Google, on the other hand, has been able to maneuver the regulation fairly well, avoiding an equivalent PR crisis. The firm has been preparing for this and has been able to make the requested corrections. That is not to say that Google is GDPR-compliant either -- at least they haven't stated so explicitly.
It is important to understand a few questions here: Why is Facebook going through this PR crisis? What is the cost of implementing an organization-wide solution, best practices, and a strong adherence to regulations like GDPR in such data-centric companies? What does the process of instituting data governance practices in an organization like Facebook entail? It will also be interesting to see how the other hundreds of smaller ISVs deal with this when the May 25 deadline hits this year. I won't respond to all these questions, but will lay the groundwork for what other companies can do to avoid these pitfalls.
As organizations grow over time, they tend to implement data governance, storage, and processing capabilities based on the perceived value of the data. For example, IT admins tend to set up separate data stores for product development teams, quality assurance, business units, sales, support, and finance as they evolve, either on-premises or in one or more public clouds. Seldom do they focus on critical concepts such as data portability, data mapping, and knowing where all the data is stored. This is further magnified by the fact that most companies in the business of data have not only structured data but semi-structured and unstructured data as well. With all the text, photos, and videos uploaded by its almost two billion users, Facebook has more unstructured data than structured. This problem touches people, processes, and technology. For decades, IT teams have built data warehouses to dump all their data in. Over time, this becomes expensive and is unmanageable when even subsets of that data need to be retrieved for specific purposes.
Also, it is a misconception that US companies are immune to GDPR. From startups to larger Facebook-like enterprises, no (personal) data-centric company restricts their products and offerings to US- or country-specific audiences. They sell their product to whoever will buy it. Any company with 250 or more employees should view GDPR as an opportunity learn what personal data it handles and/or processes, assess their data governance practices, and make speedy improvements to reach 100 percent compliance. Yet, it seems most companies are not prepared for this reality.
Being GDPR-compliant for any organization means having their ducks in a row for each of the following:
• Having a map view of the data, including all the way from the source systems, to ensure lineage and proper auditing
• Being able to read data from any of the siloed clouds, edge device, or on-premises hardware
• Being able to write into or remove data located in any of these silos
• Ensuring secure data transfers
• Enforcing granular policy controls for personal data
With GDPR regulation coming into effect in less than a month, companies are forced to look at 'accelerator' solutions, in other words, a GDPR-ready data lake.
If Facebook had their ducks in a row for each of the above with a GDPR-ready data lake type of solution, had their users explicitly opted-in for all its services, and had users known exactly how advertisers and developers used data collected from Facebook, it can be argued that the company could have avoided the PR crisis.
With GDPR coming into effect on May 25, 2018, CxOs, data protection officers, and enterprise architects should start thinking about the most efficient approach to instituting data privacy, security, and governance practices across the enterprise. For companies that handle personal data pertaining to EU citizens, implementing a GDPR-ready data lake is probably the best investment to confidently avoid the type of backlash Facebook is facing today.
Ronak Chokshi is product marketing and solutions strategy lead for MapR Technologies. He is a product marketeer with 14+ years of experience in cross-functional roles. Ronak's specializations are in advanced data analytics, machine learning, IoT, sensor and connectivity domains.