Facebook Breach May Bring About EU-Style GDPR Privacy Rules in U.S.
Recent news of a Facebook breach might have a major impact on Information Technology Asset Management (ITAM) practices in the U.S.
News just before Christmas that Facebook is allowing advertisers and marketers direct access to personal data—and even private conversations—may have the effect of accelerating consideration in the U.S. of General Data Protection Regulation (GDPR) privacy rules, according to Dr. Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers (IAITAM).
“The year 2018 has been a difficult one for Facebook,” said Rembiesa. “Between testifying before both domestic and international courts as well as the bad publicity surrounding the Cambridge Analytica scandal, one would think that Facebook would be careful how it handles and distributes personal information. This time, it turns out Facebook was selling access to your personal data. This includes private conversations.”
The data sharing deals which Facebook engaged in have been revealed to be especially liberal with their access to personal identifying information (PII). This PII can include everything from a user’s name and email address to their photos, birthdate and even private Facebook Messenger texts. The intent was to benefit everyone using Facebook. By having all that information accessible by the various organizations, ads and marketing campaigns were supposed to be easier to tailor to their target demographic. However, this information sharing went far beyond the scope of what most people anticipated and has created a privacy crisis to which Facebook needs to respond.
“Advertisers and marketers used their wide-open access to harvest PII from Facebook users without the knowledge of the individual,” Rembiesa said. “As a result, some users of Facebook and other social media platforms are now looking for a solution to protect their data as well as their digital identity. Those same people have looked at the EU and their sweeping regulation that turned the power and authority of protecting PII back to the individual: the GDPR. The recent Facebook discovery has people looking for the adoption of something like GDPR in the U.S. faster than anticipated. It seems that people feel they are able to make decisions about their personal data better than any company or organization would.”
What would happen if the U.S. followed such a path?
Assuming a bill like GDPR is passed in the United States, the next question is how corporations will adopt the new regulation. Organizations in the European Union currently use Data Protection Officers (DPOs) for handling compliance, and many U.S.-based companies are actively recruiting DPOs in preparation for what is to come.
“The good news is that organizations that have mature IT Asset Management programs already have the professionals needed under their roof,” said Rembiesa. “The roles and responsibilities required of a Data Protection Officer are a natural addition for an IT Asset Manager. IT Asset Managers produce policies and processes and utilize best practices that care for software, hardware, and mobile assets. As Data Protection Officers, those practices would extend to personal identifiable information since such information is stored on those assets.”
