Written by Leonard Lee, Founder and Managing Director of neXt Curve.
On October 31st, 2017, Facebook’s general counsel, Colin Stretch announced to the U.S. Congress that the company would be hiring additional staff to address what appeared to be expansive “security & safety” issues that have come to light from the Cambridge Analytica debacle with over 87 million Facebook users affected. On April 6, 2018 in an interview with the Today show’s Savannah Guthrie, Sheryl Sanberg characterized the Cambridge Analytica debacle as a “data breach”. But it wasn’t a data breach. It wasn’t a security breach. It was a violation of consumer and individual privacy and, as Sheryl Sanberg rightly stated on CNBC, a “breach of trust”.
The problem that Facebook has is their oddly persistent conflating of privacy with security. As recently as July 25, 2018 on Facebook’s Q2 2018 earnings call, Facebook CEO, Mark Zuckerberg, continued to characterize Facebook’s privacy-related issues as security issues by stating, ”security is not a problem that you ever fully solve.” True.
Though security and privacy are related, they are not one in the same. Surprisingly, the distinction between security and privacy is not clear to the broader business community and consumers who continue to misunderstand and confuse the Facebook privacy problems that are deeply rooted in their business model and their culture.
To be clear, privacy is a policy set that is defined by an organization to protect the personal privacy rights of its employees as well as those of its customers and third parties such as suppliers and partners. The way that an enterprise treats privacy typically is and should be embedded in their corporate policies and governance. In many ways, the company’s corporate policies and governance model are reflective of the organization’s culture and values; consequently, so are its privacy protection policies.
How is privacy related to security? Privacy policies ultimately define the configuration, implementation and governance of an enterprise’s security infrastructure and environments – both internal and external – to protect the organization’s data, applications and assets both digital and physical. These protected assets should also cover a wide range of what GDPR (General Data Protection Regulation) calls a consumer’s “personal data”.
Why does privacy matter? Because the aforementioned GDPR is here with surprisingly global impact and is ushering in a Privacy First era that will undoubtedly shape the future of our global digital economy. This change in landscape will be a difficult shift for many of the firms out there today – such as Facebook, Google and many others – that heavily capitalize on our personal data to sustain and grow their offerings, revenues and profits.
The United States is far from immune from GDPR and the fast-moving Privacy First tide. Most recently the state of California passed the California Privacy Act that puts in force privacy regulations very similar to those now in play across the European Union when GDPR went into effect on May 25th of this year. With growing concerns over cyber attacks and toxic and false content being injected into social networks by belligerent foreign actors such as Russia, the concerns over the exploitation of consumer personal data is intensifying in the United States.
As consumers become increasingly aware of the risks that enterprises are exposing them to with their products, their services and their business models, we can expect consumer sentiment to change in the near future as more cases of personal data exploitation (a.k.a. breaches of trust) surface and draw global attention. Accordingly, we can expect consumers to increasingly hold businesses to account for any improper access, use and failure to secure and protect their personal data.
What should business leaders learn from Facebook’s violations of privacy and consumer trust? In light of GDPR and its expanding influence across the globe, enterprises and new ventures need to get on board with a Privacy First mindset. It’s a mindset and set of values that focus on the protection of the personal privacy of the consumer versus the data and advertising-centric mindset that has dominated digital thinking for the past decade or more.
The Privacy First era will present new, sobering realities for many companies and startups that may have expected to go to market with a freemium model to fast-launch their new digital services and businesses. Yes, you might actually need to change your business model as U.S. Congresswoman Anna Eschoo alluded to during Mark Zuckerberg’s testimony to the U.S. Congress. Innovative enterprises that adopt a Privacy First approach to their products, services and business model can expect an exciting new frontier of opportunity in a GDPR-defined digital future.
What about the consumer? What should we learn? We will expect business leaders such as Mark Zuckerberg, who is deemed one of the premiere digital pioneers, to know better. We, the consumer, will need to know better as well so that we can hold companies that make billions in profit monetizing our personal data to account and to the appropriate consequences defined in new and emerging consumer privacy protection regulations such as GDPR. That process can only begin if we understand the difference between privacy and security.
Leonard Lee is the founder and managing director of neXt Curve (www.next-curve.com), a U.S.-based research advisory firm that focuses on helping business leaders define the digital future of their organizations and industries. Mr. Lee is a former managing partner with Gartner Inc., IBM and PwC with a rich background in advising some of the leading Global Fortune 100 enterprises with their digital journeys.