Flipping the Facebook Iceberg
How Analytics Can Help Data Controllers Find Everything They Store
On the day that Facebook CEO, Mark Zuckerberg, faced senators’ questions over his company’s treatment of consumers’ personal data, Rowland Manthorpe wrote in Wired magazine that the Cambridge Analytica scandal had led many US observers to reverse their views on data protection regulation in Europe, “GDPR covers not only individuals based in the European Union, but also data that is processed there. Since Facebook’s global data processing unit is in Ireland, that means any of its users outside the US and Canada are subject to its terms. On May 25th, everyone from Australia to Zimbabwe gets new rights.”
EU GDPR brings in the ‘five commandments’ for data consent, namely that it is unbundled, active, granular, named and easy to withdraw. From May 25th, any service provider that has dealings with the EU is legally obliged to erase your data, or return it to you in a portable format.
Manthorpe cites the challenges that Facebook faces in complying with the right of access enshrined in the new regulation. He quotes technology policy researcher, Michael Veale’s views on Facebook’s feature, which enables users to download their data from the social network, “Facebook has a record of every like, every click, every interaction on its site, as well as the inferences drawn from this data, to categorise people by class, political allegiance or spending power. But only the very tip of this vast iceberg appears in the download, Veale says.”
To mitigate the risk of non-compliance after May 25th, and to control data sprawl to enable it to be more easily governed, organisations need to first locate all of the personally identifiable information (PII) across the business. Compiling such a data inventory is easier said than done. This is where automated PII discovery tools, such as our Accelerator for GDPR PII Compliance Analysis can help to jump-start the process and flip the iceberg.
Using software and analytics, automated discovery can dynamically detect PII in structured data sources and compare it against expected outcomes in a set of categorisations. This automation accelerates the process of determining the occurrence, location and prevalence of unorganised and unknown data, making it easier to establish where PII exists, as well as documenting what data is expected and where it should reside.
Deep, targeted analysis can then help organisations to identify any compliance shortfalls and give better visibility of their data estate, to support GDPR compliance and wider data governance strategies.