Why the Facebook News Is Important: Two Lessons for Data Managers

Posted 03/26/2018 by Patrick McGrath

There's been a lot of talk in the office about the use of social data - with the illusion of privacy - being used downstream for questionable purposes.  While much of the public outrage is fresh, it has been widely known for years that marketers, including those supporting political campaigns, have been consuming personal data at scale to align demographics and behaviors to their objectives.

While users clearly gave Facebook consent to store and manage their personal data, it is clear that many did not realize the implications. Few have actually read the Facebook privacy terms. Yet they're still happy to hop on to a third-party frivolous quiz to answer what baked-good their personality most resembles, opening up themselves and their friends to additional data collection and analysis. 

This situation highlights two of the basics of electronically stored information (ESI):

  1. Data is easily and frequently copied
  2. Controlling its distribution and downstream consumption is extremely difficult

Data has a life of its own

In the 2000s I managed the response to several data loss incidents for a large university. The first of these involved the theft of a laptop from a “secure” location that contained a spreadsheet laden with personally identifiable information of many, many thousands of individuals.

This file was initially created from a system report from a student data warehouse. The personal data in question was deposited several sheets into an excel workbook, without any conscious knowledge of the laptop user. Now think about how many times that spreadsheet might have been emailed, stored on departmental file servers or attached to transactions in distributed applications. At the same organization, we conducted a study that showed how a single document was duplicated and stored in more than a hundred separate locations across departments.

    Lesson 1: Regulation, policy and education is great, but if the user isn’t even aware they have the data, it’s just not enough.

Have you really deleted unnecessary personal data?

We’ve been talking a lot with customers recently about data privacy and the General Data Protection Regulation (GDPR) with the release of our new product, Commvault Sensitive Data Governance. With only a couple of months before GDPR becomes effective, customers report an increased level of anxiety about the presence of personal data as they realize that compliance is more complicated than they expected. We often tell them two things: 

  1. If you don’t need to store personal or sensitive data, then get rid of it if you can legally do so before it creates a problem
  2. If you must respond to a data breach or data subject requests, you need to be able to find that information quickly

But that’s easier said than done. Especially considering the viral nature of data and any unintended consequences of its use. Data can be anywhere, and there could be a lot of it.

    Lesson 2: Process and automation is your friend, particularly for scaling the control and consistency of data controls and risk management.

How do you deal with this in your organization? Know, manage and protect your sensitive data with Commvault.

Patrick McGrath leads solutions marketing for Commvault’s Archiving, Search and Analytics offerings. Before moving into marketing, Patrick spent many years working as a customer and consultant IT practitioner with a diverse set of services and projects supporting digital transformation. Patrick’s interest in data privacy and GDPR build upon previous experiences managing information governance and the response to large data breach incidents.