Facebook has recently come under significant scrutiny from customers, the press and US Congress about how it allowed firms to siphon personal information from millions of user accounts. This presentation discusses these risks and the steps firms should take to mitigate these risks.
The Latest Facebook Privacy Crisis
Recently Facebook was hit with a scandal that it allowed UK political consultancy Cambridge Analytica to harvest the personal data of more than 87 million users (1.1 million users in the UK). That data that was used to conduct political analysis and target political ads.
What we are finding as a result of this is that this was not the first time that Facebook did this. But what it did was focused the public's attention on Facebook's Data Privacy Policies and how it sells users personal information for advertising purposes. If March Zuckerberg was here, he would say they do not sell personal data but what they do is sell ads and give the personal data away. Regardless, the use of personal information, it's not just about Facebook, it's about the use of private information.
This topic is a major concern for users of alternative data is around privacy information. PII is what its called in the US - Personally Identifiable Information. The real issues is if you are a user or vendor of this data, is how should you be treating PII? PII is information that can be either be used on its own, or with other information to identify, locate or contact a single person.
This becomes very complex, because it isn't just your ability to have data that has someone's name or social security or address. But even if you strip out that data, can you, if you combine it with other data, reverse engineer someone's identity? This has become a very big issue for vendors and funds.
PII & Alternative Data
A lot of people here today are Asset Managers, and you don't value PII, it's not something you want, because frankly it's very difficult to make an investment decision based on what individuals are specifically doing. What you’re interested in is the universe or the trends within the universe instead of an individual. So when we talk about PII, I have lots of Asset Managers say what the issue is ‘I don't want it’ so I will tell the vendors not to give it to me and I don't get it and I don't have a problem. Well actually, that's not the issue because when speaking to Regulators about PII, they all agree that whether or not you have a contract saying the vendor cannot give it to you, you can still be on the hook legally.
PII & the GDPR
Consumer protection laws in the US and Europe increase the risks associated with data containing PII. New EU regulation in the form of General Data Protection Regulation (GDPR) due to come into force in May 2018 will heighten risks associated with European data containing PII.
The regulation defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
GDPR & Consumer Consents
GDPR narrows the consents provided by individuals to specific purposes, making it more difficult to repurpose data without additional consent. For example, consents for the use of European geolocation data derived from phones are typically restricted to the provision and billing of the telecoms service, necessitating additional consents for other users.
GDPR & Pseudonymization
GDPR also requires that data protection measures be integrated into business processes for products and services, with particular attention to pseudonymization techniques such as encryption to transform personal data.
Compliance Standards for PII (Personally Identifiable Information)
A new non-profit trade association, the Investment Data Standards Organization (IDSO), was recently formed to develop compliance standards for the use of alternative data. IDSO has made formalizing alternative data PII best practices a top priority.
IDSO exists to help both users and the vendors that provide this data fill the void brought on by limited legal precedence regarding the use of non-traditional sources of data. Currently IDSO is developing standards for handling data containing PII, MNPI, or which is collected via Web Harvesting. Future topics will be established by members.