The recent controversy around the Cambridge Analytica/Facebook data scandal has people talking about proper data management practices. With the EU’s GDPR regulations on the horizon as well, many businesses are finding themselves scrambling for answers.
Facebook’s company policies allowed one of their clients to access data which they didn’t realize had other potential uses. This is a great opportunity for other companies to analyze their own data policies and reassess how they are applied.
We can look at the Cambridge Analytica situation to examine our roles in the digital economy and understand how our actions affect not only the data, but the trust of our customers. What lessons can we learn from Facebook about data ownership? What should we consider when sharing data with outside parties? Here are three ways the Cambridge Analytica debacle showed us how NOT to do data management:
1. Failing to Maintain a Master Data Management (MDM) Plan
Master Data Management (MDM) is a process that documents how companies collect information, how that information is used, and when that information is no longer valuable to the company and needs to be disposed. Facebook’s MDM was poor, to say the least. It let Cambridge Analytica mismanage personal data and disregarded the privacy and security of millions by sharing it with an additional unauthorized party. Think about your Master Data Management strategy. Is everyone aware of the role they play in that strategy? The proper approach considers data movement, data lifecycle, data quality, and data security. Many of these principles are inherent in MDM and in the GDPR principles companies are now adopting. When you take all these aspects into account, you gain the clearest understanding of your data, which helps you determine if you’re collecting data you don’t need or holding on to data that’s no longer valuable. For example, if you sent a prospect a marketing email 10 years ago, is that still necessary to keep? What about two years ago? It’s important to create a company policy for retention that considers your customer buying cycle, privacy policies, and the overall goals of your Master Data Management plan.
Creating a solid data management plan requires a three-pronged approach: (1) Auditing Your Data; (2) Developing rules for data entry, naming conventions, and deduplication; and (3) Training your teams. If you have a decent CRM system, it may come preloaded with data management tools. Or, you can add data management tools to execute your plan. Using an ETL tool can help you manage the scheduling and organization of the data, but it shouldn’t become a crutch. Here are some key points to remember as you create your data management plan:
- If your company has been preparing for GDPR, you may be well ahead of the curve on data auditing. But, if the concept is still simmering on the backburner, it’s time to turn up the heat. Prioritize the types of data that are most important to your business. Track how that data is being used and which of your systems (CRM, marketing automation, ERP, POS devices, social media accounts, etc.) are using it. Who has access? Hierarchical user permissions keep data management tight by granting access to users on as as-needed basis.
- Consider how things like punctuation, indefinite and definite articles (A, The), numbers, and abbreviations could impact data quality. Standardize how these situations should be handled when entering data in the CRM. Spell out the numbers and avoid punctuation altogether – try “Fifth street, USA”, instead of “5th street U.S.A.” If you must use abbreviations, you should be consistent across the board. Is it Corp. or Co.? Avoid duplicate data by searching the CRM before creating a new record. If duplicates appear, check them first to make sure they’re truly two different records and not just businesses with similar names. Once certain, merge the data instead of deleting one of the records. Also consider the rules you are setting for keeping data segments. Based on the class of a Lead, Customer, User, etc., how long does it make sense to keep that information? How did you get the information in the first place? Did you buy a list? Get permission via a form submission? GDPR and MDM both require that you know the answers to these questions.
- The rules you create are meaningless if employees aren’t aware of them or don’t know how to apply them. Offer documentation so employees always have the guidelines available. Everyone must understand the importance of the data entry protocols.
2. Passing off Data Ownership
Facebook let Cambridge Analytica access its data, but it didn’t take responsibility for how that data was being used. Cambridge Analytica developed psychographic profiles of Facebook users by transferring data to another company, Global Science Research, that used its app to mine the profiles for information. According to Facebook, this transferring of data violated legal usage guidelines, so why didn’t they catch it? Their protocols were not strict enough. Facebook, as the original owner of the data, is culpable for the infringements made by Cambridge Analytica.
If your company works with partners, you probably share data. Make sure the parties utilizing your information are doing so with complete transparency. Do the partners have documentation of your data policies? Are you policing their adherence to those policies? What are your security protocols?
Data shared through integrated systems also applies. Be aware of where data is going and through which channels it’s getting there. Firewalls, encryption, and other cyber security measures are useful for preventing outsider access, but insiders with access to the data can still be negligent if not properly directed. Insider negligence accounts for an estimated 88% of all data breaches, and that’s a percentage to be reckoned with! Data management means owning the data in all its forms, in all its locations, and with all the users collectively holding themselves responsible.
3. No End of Life Plan
The data acquired by Cambridge Analytica was used for political advertisements during the U.S. presidential race, but what happened to it afterwards? Was it deleted? Destroyed? Archived? Facebook says when it found out about the data violations, it ordered Cambridge Analytica (and the app it worked with) to destroy any data shared between the companies or with any other parties. The verdict is still out on if that actually happened…
Establishing clear data archiving and destruction policies is a big part of data management. Destroying data is more than just deleting it. A process for sanitizing storage devices ensures any trace elements of leftover information are truly gone. What defines proper archiving? Among other things, a formalized set of procedures that define the criteria for data to be archived, mechanisms to facilitate the archiving, the duration data remains archived, and the rules for who can access the archived information. Archived data should be encrypted and protected. Alerts and audit logs will help keep track of who accesses archived data and prevent it from being tampered with.
Don’t be reactive when it comes to data management. Situations like Facebook’s are not fun and do not reflect well on your public image. Learn from the mistakes of Facebook and Cambridge Analytica and start better data management practices today.
Need help? Our experts can advise you on data management best practices and teach you how to use your CRM to implement them. Contact us.