We are now into May and therefore less than a month away from the start of enforcement for the European Union’s GDPR data protection regulations. How seriously businesses are taking GDPR varies, but two words sum up why data protection is fundamentally a business continuity issue: Cambridge Analytica.
Cambridge Analytica has been in the middle of a media storm since allegations arose in March 2018 that the company had used personal information of Facebook users as the basis of political campaigns on behalf of various clients. This data protection issue has now resulted in the closure of the company, just weeks after the crisis commenced.
In a press release published on May 2nd 2018, Cambridge Analytica stated:
“Earlier today, SCL Elections Ltd., as well as certain of its and Cambridge Analytica LLC’s U.K. affiliates (collectively, the “Company” or “Cambridge Analytica”) filed applications to commence insolvency proceedings in the U.K. The Company is immediately ceasing all operations and the boards have applied to appoint insolvency practitioners Crowe Clark Whitehill LLP to act as the independent administrator for Cambridge Analytica.
“Additionally, parallel bankruptcy proceedings will soon be commenced on behalf of Cambridge Analytica LLC and certain of the Company’s U.S. affiliates in the United States Bankruptcy Court for the Southern District of New York.
“Despite Cambridge Analytica’s unwavering confidence that its employees have acted ethically and lawfully … the siege of media coverage has driven away virtually all of the Company’s customers and suppliers. As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the Company into administration.”
Business continuity lessons
The business continuity lessons from Cambridge Analytica’s rapid demise are clear:
- Take data protection seriously. Data protection issues are not just compliance blips, they can escalate into business-threatening crises, where the reputation of the company is dragged through the mud with the result that the company’s clients no longer wish to be associated with a tarnished brand.
- GDPR isn’t something to take lightly. Any company that handles personally identifiable information about European citizens needs to act on GDPR. After 25th May, companies that fail to comply are taking a very real risk.
- Reputation management isn’t always enough. Cambridge Analytica invested a lot of effort and money into reputation management following the incident, going as far as commissioning Queen’s Counsel Julian Malins to conduct an independent investigation into the allegations regarding the company’s political activities. Mr. Malins report, which Cambridge Analytica published yesterday, concluded that the allegations were not “borne out by the facts.” Reputation management can help during a crisis, but it is no substitute for taking compliance risks seriously and putting into place clear, transparent, bullet-proof policies for all legislation that your organization needs to comply with.
David Honour is editor of Continuity Central. Contact: firstname.lastname@example.org