After Cambridge Analytica, there is nowhere to hide

With Facebook and Cambridge Analytica embroiled in the ongoing data scandal, Craig Young, president of AMSRO, looks at privacy protection, and how brands can ensure they don't fall foul of consumers.

Compliance on privacy and the potential for a data breach is one of the single biggest risks facing organisations in 2018. That risk is multiplying every day as consumers demand greater
protection and regulators adopt an increasingly hardline approach.

The reputational and commercial risks of being identified as an untrustworthy data host are profound, yet what is now at stake is not truly appreciated by most organisations. The Cambridge Analytica data harvesting scandal has dominated coverage in recent weeks and has seen $US100 billion wiped from Facebook’s value in the wake of the FTC investigation.

Consumers have now had their eyes prised wide open to what actually happens with their personal information, so the longer-term reputational damage for Facebook is potentially
even higher. Not to mention the regulatory pressure.

Access to data and the ability to profile individuals in extraordinary detail has seen many organisations become too liberal and unethical in the way they use the data. Trust has been abused as expedient commercial and political use of data has been put ahead of what consumers believe is fair and right. It’s completely justifiable for people to ask where is the informed consent?

The Facebook issue holds direct relevance for Australian organisations. Complacency or naivety around data usage is certainly one of the single biggest strategic risks for organisations dealing with data today and the reality is that no one is exempt. From the smallest firms up to the very largest, the spotlight is now right on how organisations manage and use personal data.

The financial implications for a breach are significant and the reputational damage is potentially catastrophic, so the liability that goes with data management should be top of mind for all leaders of organisations.

The Australian Privacy Commissioner is now looking at whether the personal information of Australian Facebook users was given to Cambridge Analytica, with Facebook facing fines and
possible regulatory repercussions. The ACCC inquiry into the tech giants will also scrutinise misuse of data.

There are two major new pieces of legislation that emphasise how seriously the issue of data trust needs to be taken.

The Notifiable Data Breach scheme (NDB) is an amendment to the existing Privacy Act and introduces new mandatory data notifications. The scheme will toughen up privacy obligations for companies working with personal information, with considerable fines (up to $3m) for a privacy breach. It also requires companies to notify any individuals likely to be at risk of ‘serious harm’ by a data breach.

Globally the European Union’s General Data Protection Regulation contains new data protection requirements that extend the law to all foreign companies processing personal data about EU residents. Non-compliance risks potential fines equaling 4% of worldwide annual company turnover.

There is little room for error and any business handling personal information needs to correctly manage internal processes and ensure they only work with experienced and verified partners. One of the big areas of data usage for marketers is through commissioned market and social research. The AMSRO ‘Trust Mark’ means research companies only collect data and capture informed consent under strict codes and practices that are co-regulated by AMSRO and the Australian Privacy Commissioner.

There are 6 steps a company needs to undertake to ensure it is privacy compliant:

  1. Only partner with compliant suppliers – Look for similar formal peak body
    programs as the AMSRO ‘Trust Mark’ in other industries as your partners represent
    one of your greatest vulnerabilities
  2. Ensure there is internal accountability – Put risk as a lead item on the board’s agenda and appoint a staff privacy officer to oversee a privacy compliance strategy and respond to complaints
  3. Train staff and create a compliance culture – Provide tailored training on privacy laws and processes specific to your business and create a culture at all levels that values privacy
  4. Continually assess and audit – Conduct a privacy review on how your data is being used internally and externally and have a set auditing compliance schedule
  5. Be transparent and plan – Update and maintain your organisation’s privacy policy. Develop an inquiry and complaints program and update privacy collection statements to comply
  6. Prepare for a breach – leadership needs to know privacy procedures and how to manage any potential breach should it occur.

Many Australian companies are ill-prepared for privacy and data breaches. The risk is amplified because of the natural tension between the power of data in a commercial sense and the need to respect clear regulatory and ethical boundaries. The best way to strike that balance and to mitigate risk is to follow the six steps and to be clear on what is expected of your suppliers.

Craig Young, is the president of AMSRO (Association of Market & Social Research Organisations) 


Get the latest media and marketing industry news (and views) direct to your inbox.

Sign up to the free Mumbrella newsletter now.



Sign up to our free daily update to get the latest in media and marketing.