The Facebook Cambridge Analytica breach and the knowledge that the company was selling private information to companies might mean that Congress will consider a version of the European Union’s General Data Privacy Regulation (GDPR).
Representative Will Hurd from Texas, the chairman of the Information Technology Subcommittee of the House Committee on Oversight and Government Reform, told a room of people at the Aspen Cyber Summit in San Francisco that a proposing a version of GDPR was definitely possible.
“One of the things we will be looking at is GDPR. Is it working, is it not working, is it something that we may be moving to?” Hurd said. “A year ago, the answer would have been not ‘no,’ but ‘hell, no.’ I think more people are open to that now because of some of the breaches.”
Dr. Barbara Rembiesa, the president and CEO of the International Association of IT Asset Managers (IAITAM), said that if GDPR is reconsidered, it’ll have a huge effect on information technology asset management in the United States.
“The year 2018 has been a difficult one for Facebook. Between testifying before both domestic and international courts as well as the bad publicity surrounding the Cambridge Analytica scandal, one would think that Facebook would be careful how it handles and distributes personal information,” Rembiesa said. “This time, it turns out Facebook was selling access to your personal data. This includes private conversations.”
That private info, called personally identifiable information (PII), includes data like usernames and email addresses but also photos and Facebook Messenger conversations. The information was supposed to help companies advertise to Facebook’s users, but it created a scandal instead.
Rembiesa said it would behoove the U.S. to follow the EU’s lead through the use of data protection officers to handle compliance of new rules, and that some companies are already doing just that.
“The good news is that organizations that have mature IT Asset Management programs already have the professionals needed under their roof. The roles and responsibilities required of a data protection officer are a natural addition for an IT asset manager,” Rembiesa explained. “IT asset managers produce policies and processes and utilize best practices that care for software, hardware and mobile assets. As data protection officers, those practices would extend to personally identifiable information, since such information is stored on those assets.”