recent controversy around the Cambridge Analytica/Facebook data scandal
has people talking about proper data management practices. With the
EU’s GDPR regulations on the horizon as well, many businesses are
finding themselves scrambling for answers.
Facebook’s company policies allowed one of their clients to access
data which they didn’t realize had other potential uses. This is a great
opportunity for other companies to analyze their own data policies and
reassess how they are applied.
We can look at the Cambridge Analytica situation to examine our roles
in the digital economy and understand how our actions affect not only
the data, but the trust of our customers. What lessons can we learn from
Facebook about data ownership? What should we consider when sharing
data with outside parties? Here are three ways the Cambridge Analytica
debacle showed us how NOT to do data management:
1. Failing to Maintain a Master Data Management (MDM) Plan
Master Data Management (MDM) is a process that documents how
companies collect information, how that information is used, and when
that information is no longer valuable to the company and needs to be
disposed. Facebook’s MDM was poor, to say the least. It let Cambridge
Analytica mismanage personal data and disregarded the privacy and
security of millions by sharing it with an additional unauthorized
party. Think about your Master Data Management strategy. Is everyone
aware of the role they play in that strategy? The proper approach
considers data movement, data lifecycle, data quality, and data
security. Many of these principles are inherent in MDM and in the GDPR
principles companies are now adopting. When you take all these aspects
into account, you gain the clearest understanding of your data, which
helps you determine if you’re collecting data you don’t need or holding
on to data that’s no longer valuable. For example, if you sent a
prospect a marketing email 10 years ago, is that still necessary to
keep? What about two years ago? It’s important to create a company
policy for retention that considers your customer buying cycle, privacy
policies, and the overall goals of your Master Data Management plan.
Creating a solid data management plan requires a three-pronged approach: (1) Auditing Your Data; (2) Developing rules for data entry, naming conventions, and deduplication; and (3) Training your teams. If you have a decent CRM system, it may come preloaded with data management tools. Or, you can add data management tools to execute your plan. Using an ETL tool can help you manage the scheduling and organization of the data, but it shouldn’t become a crutch. Here are some key points to remember as you create your data management plan:
- If your company has been preparing for GDPR, you may be well ahead
of the curve on data auditing. But, if the concept is still simmering on
the backburner, it’s time to turn up the heat. Prioritize the types of
data that are most important to your business. Track how that data is
being used and which of your systems (CRM, marketing automation, ERP,
POS devices, social media accounts, etc.) are using it. Who has access?
Hierarchical user permissions keep data management tight by granting
access to users on as as-needed basis.
- Consider how things like punctuation, indefinite and definite
articles (A, The), numbers, and abbreviations could impact data quality.
Standardize how these situations should be handled when entering data
in the CRM. Spell out the numbers and avoid punctuation altogether – try
“Fifth street, USA”, instead of “5th street U.S.A.” If you
must use abbreviations, you should be consistent across the board. Is it
Corp. or Co.? Avoid duplicate data by searching the CRM before creating
a new record. If duplicates appear, check them first to make sure
they’re truly two different records and not just businesses with similar
names. Once certain, merge the data instead of deleting one of the
records. Also consider the rules you are setting for keeping data
segments. Based on the class of a Lead, Customer, User, etc., how long
does it make sense to keep that information? How did you get the
information in the first place? Did you buy a list? Get permission via a
form submission? GDPR and MDM both require that you know the answers to
- The rules you create are meaningless if employees aren’t aware of
them or don’t know how to apply them. Offer documentation so employees
always have the guidelines available. Everyone must understand the
importance of the data entry protocols.
2. Passing off Data Ownership
Facebook let Cambridge Analytica access its data, but it didn’t take
responsibility for how that data was being used. Cambridge Analytica
developed psychographic profiles of Facebook users by transferring data
to another company, Global Science Research, that used its app to mine
the profiles for information. According to Facebook, this transferring
of data violated legal usage guidelines, so why didn’t they catch it?
Their protocols were not strict enough. Facebook, as the original owner
of the data, is culpable for the infringements made by Cambridge
If your company works with partners, you probably share data. Make
sure the parties utilizing your information are doing so with complete
transparency. Do the partners have documentation of your data policies?
Are you policing their adherence to those policies? What are your
Data shared through integrated systems also applies. Be aware of where data is going and through which channels it’s getting there. Firewalls, encryption, and other cyber security measures are useful for preventing outsider access, but insiders with access to the data can still be negligent if not properly directed. Insider negligence accounts for an estimated 88% of all data breaches, and that’s a percentage to be reckoned with! Data management means owning the data in all its forms, in all its locations, and with all the users collectively holding themselves responsible.
3. No End of Life Plan
The data acquired by Cambridge Analytica was used for political
advertisements during the U.S. presidential race, but what happened to
it afterwards? Was it deleted? Destroyed? Archived? Facebook says when
it found out about the data violations, it ordered Cambridge Analytica
(and the app it worked with) to destroy any data shared between the
companies or with any other parties. The verdict is still out on if that
Establishing clear data archiving and destruction policies is a big
part of data management. Destroying data is more than just deleting it. A
process for sanitizing storage devices ensures any trace elements of
leftover information are truly gone. What defines proper archiving?
Among other things, a formalized set of procedures that define the
criteria for data to be archived, mechanisms to facilitate the
archiving, the duration data remains archived, and the rules for who can
access the archived information. Archived data should be encrypted and
protected. Alerts and audit logs will help keep track of who accesses
archived data and prevent it from being tampered with.
Don’t be reactive when it comes to data management. Situations like
Facebook’s are not fun and do not reflect well on your public image.
Learn from the mistakes of Facebook and Cambridge Analytica and start
better data management practices today.
Need help? Our experts can advise you on data management best practices and teach you how to use your CRM to implement them. Contact us.