As you know from the news some companies have been able to profile millions of Facebook users without their knowledge, let alone their consent.
All this data has not been stolen, it’s been misused by actors exploiting the business model put in place by Facebook.
This is a huge data protection issue, where the rights of the data subjects have been ignored and the requirements of the data controllers and processors haven’t been enforced.
If confirmed in all its details, these companies will have shown they’ve not been able to track and monitor the tasks involved in personal data handling and to have made use of the data without a lawful basis - all points that the GDPR is stressing.
Everybody in the data management chain should know with clarity
- what’s being gathered;
- where it comes from;
- who owns it;
- where it goes to;
- in which format;
- where it’s stored;
- what purpose it’s used for;
- how long it’s retained;
- what’s the lawful basis.
There’s no doubt that at least some of the companies involved in the news had not fully gone through this checklist. But also sure is that the users were not informed of any of these details.
As users, we should all play a more active role, making the effort of reading through the screens of agreements and settings, limiting as much as possible the data we agree to share, reviewing and deleting data we think it’s no more useful.
Companies should assess their position in relation to data protection. Have they ever gone through the checklist above? Have they addressed any gap they found with proper actions? Are data management roles in place? Are they monitoring and evaluating their processes?
At the end, while nothing is perfect, a company should be confident to avoid serious consequences because they did all possible to protect their data and to use it in an appropriate way.
The benefits of implementing a proper data management are evident: stakeholders and customer trust, company reputation, improved security and compliance posture.