Privacy Policy and Terms of Service – What is Going On?

Share Your Thoughts: Facebooktwitterlinkedin

I could hardly help but notice that my email inbox has, recently, been swamped by emails with the subject, “Updates to our Privacy Policy and Terms of Use (or Service).” What’s happening that has all of these various companies like Facebook, LinkedIn, Twitter, Survey Monkey, ad infinitum, all of a sudden, updating their Privacy Policies and Terms of Use?

The answer is that the European Union is implementing its General Data Protection Regulation (GDPR) on May 25th, and companies all over the world are making the changes necessary to comply with GDPR. In a nutshell, GDPR gives individuals significant rights of ownership of their personal information/data. For example, social media apps in the U.S. require a user to acknowledge that the social media company can use, trade or sell their personal information. In the U.S. a user can either accept those strictures or decline to use the app – no middle ground. GDPR requires that companies provide users with the ability to control any and all distribution of their personal data/information without necessarily foregoing use of the app.

And this is important because…?

There are two parallel answers to that question:

1. Your organization, if it operates within the EU or works with citizens of the EU, needs to ensure that it is compliant with GDPR. The requirements imposed by GDRP are significantly different from and more rigorous than similar U.S. requirements, and failure to comply creates a huge risk. News stories in the last couple of weeks highlighted a move by Facebook to transfer management of about 1.5 billion non-European users from Ireland (part of the EU) to California. I’m sure Facebook’s General Counsel determined that such a move is legal, but that isn’t the same as the EU thinking that Facebook has complied with GDRP. Time will tell.

2. With the increasing acceptance of Bring Your Own Device (BYOD) policies by organizations, it’s important to understand what employees’ rights are under GDPR and, importantly, whether the implementation of GDPR-compliant privacy policies and terms of use affect organizational security practices or policies. Even if your organization doesn’t operate within the EU, it may be beneficial to understand GDPR since it may become a precedent for other national data protection regulations.

Generally, social media companies make profits by carrying advertising and/or by selling demographic data to other companies. The use by Cambridge Analytica of the personal data of tens of millions of Facebook users (as recently reported in various news media) provides an example of the value of these large databases of demographic (and personal) information. If your organization collects such data (and it’s difficult to find an organization that uses the web to operate that does not collect some of this kind of information, such as names and addresses) or relies on this data, it would be wise to conduct a risk assessment in light of GDPR.

That does not mean that GDPR creates a risk for any specific organization. A risk assessment is conducted to determine what risks the organization faces. If you live in Colorado (as I do), you might not think about earthquakes as a risk, but until you do the research to support a risk assessment, it’s unlikely that you’ll know that Colorado is the ninth most seismically active state in the U.S. or exactly where Colorado has experienced earthquakes or how strong those earthquakes were.

So, as Robert Burns observed in To a Mouse, “…the best laid schemes o’ mice and men gang aft agley [often go astray]…” which means, to all of us leaders, that we need to regularly review and update our risk assessments as the foundation for understanding our risk exposure and updating our plans to respond to changes lest our plans “gang aft agley.”

Editors Note:Firestorm Analytical Solutions 2018 IT Resiliency cover

One way to test, review, and update programs is by seeing where your plan stacks up against others in the industry. Our Third Annual IT Resiliency Planning Assessment Study is now live for participants. The study is used to assess how organizations are approaching their IT/DF/Resiliency programs. The study will close on May 25th, 2018.

Who should participate?

  • Participants must be responsible for contingency/resiliency planning.
  • Study accommodates planners to global manager.
  • Study does not accommodate professionals who provide consulting service.

Why participate?

  • Study participants will receive a complementary copy of the study findings.
  • Study questions and assessment of data is completed by an International Benchmarking Advisory Board.
  • The response is immense, driven by the value the results provide
  • The scope is world-wide, due to extensive contacts and partnerships.
  • The company is independent, neutral party and completely confidential – individual contact and company information is never shared outside of Firestorm.


Share Your Thoughts: Facebooktwitterlinkedin