Grant Thornton Indonesia's Update

It’s More than Just Anonymizing the Data

Still remember the data scandal this early year? It’s probably the biggest scandal over the last decade ever. Data from millions of Facebook users were being used by the third parties for their own interest. Facebook Inc said, the personal information of up to 87 million users, mostly in the United States, may have been improperly shared with political consultancy Cambridge Analytica. It was up from a previous news media estimate of more than 50 million.

Zuckerberg to media said Facebook should have done more to audit and oversee third-party app developers like the one that Cambridge Analytica hired in 2014. “Knowing what I know today, clearly we should have done more,” he said.

Facebook was taking steps to restrict which personal data is available to third-party app developers, he said, and it might take two more years to fix Facebook's problems. “We’re broadening our view of our responsibility,” Zuckerberg said.

It’s clearly that with big data comes big responsibility. The collection, storage, sharing, and analysis of data are far outpacing individual privacy protections. The Internet of Things (IoT), with its promise to create networks of networks, will magnify individual data privacy threats.

In recent years, there have been a score of massive data breaches, including millions of Yahoo, LinkedIn, and MySpace account details. Recent data breaches, exposing the personal information of millions of users, provide insight into the vulnerability of personal data. Although seemingly expansive, there are core individual privacy issues that are central to current big data breaches and anticipated IoT threats.

Extremely Urge

Today, good marketing relies on having detailed and accurate customer data. And companies, not surprisingly, are eager to collect vast troves of it. Many companies have found that sharing their own customer information with other companies creates synergies for both parties, especially with the increasing availability of “Internet of Things” data (GPS sensors, smart utility meters, fitness devices, etc.).

On the other side, studies have shown that consumers are willing to share information with a brand that they trust will protect their information. Greater regulation is being enacted to ensure that businesses are accountable, and that consumers have the right to delete, transfer, or obtain a copy of their data.

Clearly, protecting customer data should always be a top priority for businesses. But doing so is increasingly extending beyond moral responsibility and taking on the form of legal requirement. Europe is now covered by the world's strongest data protection rules. The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25, 2018, and was designed to modernize laws that protect the personal information of individuals.

One of the most significant challenges facing organizations ahead of GDPR is associating given consent to a specific individual in a holistic manner. Previously, data structuring was just an internal IT problem. But not anymore. Following GDPR, unless organizations can argue for another lawful basis for collecting, processing, using and sharing data, individual data subjects may have the right to refuse certain aspects of usage.  

Should data subjects not actively provide consent, an organization could potentially no longer have access to information that could be crucial to its operations. This means that getting control of your data, knowing who is using it, how, and why, is more important than ever.

Organizations that collect personal data for one purpose must be aware of their responsibilities in managing the data under GPDR.  More importantly, they should also understand that individuals are becoming increasingly aware of the use of personal data.

All organizations must work with their customers to build trust and openness about how personal data is used.  For organizations, this means building a single view of an individual – to allow an individual to take control of their data, and for organizations to respect rights and consents of data subjects.

Do we need this kind of GPDR around the world? Cause protecting privacy requires more than just  anonymizing their data, right?