Earlier this year, the Cambridge Analytica scandal brought new scrutiny to the ways in which online companies make use of customer data; a few weeks later, the European Union's General Data Protection Regulation came into effect, creating new requirements for data protection and disclosure. Global Network Perspectives asked experts around the Global Network for Advanced Management how consumers, companies, and governments in their regions are responding.
In the wake of the Cambridge Analytica scandal with Facebook, companies are reviewing their privacy policies and making changes for consumers. What actions are businesses in your country or region taking in response to these leaks?
The handling of the effects of the Facebook scandal in Germany and Europe coincides with the deadline for implementing the requirements of the General Data Protection Regulation of the European Union, which came into effect in May 2018. The majority of all companies are currently preparing for the new rules with great effort. The focus of the implementation work is typically the creation of a solid legal basis for the processing of customer data. For online providers, this usually leads to a new consent declaration (opt-in) being obtained from the users of digital services. A further focus of the implementation effort of the GDPR is the transparent documentation of where and how personal data is handled within a company, so that this is documented in the case of an inspection by a data protection commissioner.
Another effect of the Facebook scandal is that European companies are considering more and more the use of European platforms and trust services instead of global platforms, for example to provide trustworthy single sign-on services.
How are rules and regulations in your country/region shaping the way companies handle the privacy of their consumers?
Germany has a long tradition in that the handling of companies with their customers' data is regulated in detail by law. The first Data Protection Act came into force in 1977. The principle of "prohibition with reservation of permission" has always been a decisive legal principle. This means that a company must have an explicit legal basis or explicit consent in order to process customer data. This principle also underlies the GDPR. However, its implementation will probably be even more consistently observed in Germany, too, because the penalties imposed by the GDPR for breaching the legal regulations are extraordinary high.
However, this very strong regulatory character of the handling of personal data is also criticized by many European companies because it makes new digital solutions, such as big data analyses, considerably more difficult. This applies, for example, to the health sector. Here, the aggregation of data from different sources could provide considerable added value for research and product development, but often suffers from high legal hurdles.
What might be some best practices for companies when developing these policies? What should consumers look out for in advance?
For companies, the establishment of a transparent approach to the handling of their customers' personal data is of the highest importance. On the one hand, this applies to the implementation within the company. In this context, companies have to record and document very thoroughly which systems handle customer data, under which conditions, and who has the right to access the data and in which cases. Transparent documentation also includes the technical and organizational measures with which the data is protected - for example against access by hackers. On the other hand, companies should be very transparent towards customers as to which data is stored under which circumstances and in which cases it is forwarded to third parties.
Consumers should review the privacy policy of the provider before establishing new business relationships, in particular when opening new online user accounts. There are big differences here in the way personal data is handled.