Michael Mayhew, Principal, Integrity Research | May 22, 2018
View an extract of this session held at the London Big Data and Machine Learning Revolution event in April 2018.You can also access the full video and slides.
Facebook has recently come under significant scrutiny from customers, the press and US Congress about how it allowed firms to siphon personal information from millions of user accounts. This presentation discusses these risks and the steps firms should take to mitigate these risks.
Recently Facebook was hit with a scandal that it allowed UK political consultancy Cambridge Analytica to harvest the personal data of more than 87 million users (1.1 million users in the UK). That data that was used to conduct political analysis and target political ads.
What we are finding as a result of this is that this was not the first time that Facebook did this. But what it did was focused the public's attention on Facebook's Data Privacy Policies and how it sells users personal information for advertising purposes. If March Zuckerberg was here, he would say they do not sell personal data but what they do is sell ads and give the personal data away. Regardless, the use of personal information, it's not just about Facebook, it's about the use of private information.
This topic is a major concern for users of alternative data is around privacy information. PII is what its called in the US - Personally Identifiable Information. The real issues is if you are a user or vendor of this data, is how should you be treating PII? PII is information that can be either be used on its own, or with other information to identify, locate or contact a single person.
This becomes very complex, because it isn't just your ability to have data that has someone's name or social security or address. But even if you strip out that data, can you, if you combine it with other data, reverse engineer someone's identity? This has become a very big issue for vendors and funds.
A lot of people here today are Asset Managers, and you don't value PII, it's not something you want, because frankly it's very difficult to make an investment decision based on what individuals are specifically doing. What you’re interested in is the universe or the trends within the universe instead of an individual. So when we talk about PII, I have lots of Asset Managers say what the issue is ‘I don't want it’ so I will tell the vendors not to give it to me and I don't get it and I don't have a problem. Well actually, that's not the issue because when speaking to Regulators about PII, they all agree that whether or not you have a contract saying the vendor cannot give it to you, you can still be on the hook legally.
Consumer protection laws in the US and Europe increase the risks associated with data containing PII. New EU regulation in the form of General Data Protection Regulation (GDPR) due to come into force in May 2018 will heighten risks associated with European data containing PII.
The regulation defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
GDPR narrows the consents provided by individuals to specific purposes, making it more difficult to repurpose data without additional consent. For example, consents for the use of European geolocation data derived from phones are typically restricted to the provision and billing of the telecoms service, necessitating additional consents for other users.
GDPR also requires that data protection measures be integrated into business processes for products and services, with particular attention to pseudonymization techniques such as encryption to transform personal data.
A new non-profit trade association, the Investment Data Standards Organization (IDSO), was recently formed to develop compliance standards for the use of alternative data. IDSO has made formalizing alternative data PII best practices a top priority.
IDSO exists to help both users and the vendors that provide this data fill the void brought on by limited legal precedence regarding the use of non-traditional sources of data. Currently IDSO is developing standards for handling data containing PII, MNPI, or which is collected via Web Harvesting. Future topics will be established by members.
Please use your business email. If you don't have one, please email us at info@ravenpack.com.
By providing your personal information and submitting your details, you acknowledge that you have read, understood, and agreed to our Privacy Statement and you accept our Terms and Conditions. We will handle your personal information in compliance with our Privacy Statement. You can exercise your rights of access, rectification, erasure, restriction of processing, data portability, and objection by emailing us at privacy@ravenpack.com in accordance with the GDPRs. You also are agreeing to receive occasional updates and communications from RavenPack about resources, events, products, or services that may be of interest to you.
Your request has been recorded and a team member will be in touch soon.