Earlier this year, the Cambridge Analytica scandal brought new scrutiny to the ways in which online companies make use of customer data; a few weeks later, the European Union's General Data Protection Regulation came into effect, creating new requirements for data protection and disclosure. Global Network Perspectives asked experts around the Global Network for Advanced Management how consumers, companies, and governments in their regions are responding.
The Cambridge Analytica crisis hit just as companies of all sizes in the UK were grappling with compliance of the General Data Protection Regulation (GDPR) which came into force across the EU in May. Replacing the EU Data Protection Directive, GDPR regulates the data businesses collect, how they use it, and how they protect personal data.
Companies are focusing their data compliance on their customers, who are currently being inundated with emails asking for consent to remain on their mailing list. But many executives leading these campaigns, and indeed many of us as individuals, may be unaware of another issue that the Cambridge Analytica story highlighted. That is, information about us that our friends and family might unwittingly give away, something I have recently written about in Sloan Management Review entitled: “Your Customers May Be the Weakest Link in Your Data Privacy Defenses.”
How was it that Cambridge Analytica was able to collect the personal information of 71 million Facebook users, despite only 270,000 of them consenting to their campaign? The answer lies in the apps we download and the ways in which they harvest data from phones or mobile devices. Each time we click ‘accept’ to install an app, it opens a backdoor that enables it to access our contacts which could include not only personal details but call logs, or photos of family and friends. Studies have shown that few people rarely review privacy policies and permissions, and in my own research, conducted with a sample of 287 business students in London, 96% of participants failed to realize the scope of all the information they were giving away. Imagine that each consumer has 200 contacts on their phone, and each of those has a further 200, and it’s easy to see how the multiplier effect works to rapidly build a huge data repository for an organization, even though that data was gained without permission from the owner.
Perhaps the one silver lining from the Cambridge Analytica revelations is that consumers are becoming more aware that there is no such thing as a "free" digital solution and that the price they pay for their apps is to give away their own privacy often alongside that of their peers. Consumers should be asking themselves what they are giving away when they download an app, and understand the rights of friends and family to the extent that they should be prepared to give up the app if they do not have consent to share personal data. This vigilance combined with the regulatory impact of GDPR should go some way to ensuring that the security of our data, and those we connect with, is better protected in future.