GDPR is going to be great for Facebook and Google.

“Over time, all data approaches deleted, or public.” — Norton’s Law. See Haunted By Data by Maciej Cegłowski and The State of Artificial Intelligence by Andrew Y Ng for more background and viewpoints.

Picture two types of data store, public and private. If your store is private, you can use it to advantage as suggested by Andrew Ng’s talk. If your store is public, everyone can use it and advantage is created in other ways.

Say a company wants to live dangerously and creates a private store of personally identifiable information about people. Say that company suffers a cybersecurity incident and the store of data becomes public. Say that there is no long term negative impact on that company.

Say that this pattern happens over and over again for many years. A sensible executive might infer that it’s not so dangerous to live dangerously.

Of course I’m talking about credit card number storage in the early days of web retail, not anything modern 🙂 For all of its issues, PCI changed the picture of credit card storage by putting real financial penalties on the problem.

Now companies either perform the minimum due diligence, with separate cardholder data environments and regular audits, or they outsource card-handling to another company that is focused on this problem.

Putting more and more credit card data into a single store obviously creates a watering hole problem, but it also allows focusing protective efforts. Overall it’s a net good. Until that third party hits a rough patch, but entropy is what it is.

Since GDPR has the same impact on a broader set of personal data, it seems likely that the same outcome will eventually occur. Either protect the data yourself, or outsource the problem to a broker.

The broker needs to provide analytics tools so you can do all the market and product research you wanted the data for. It would also be handy if they’d take care of AAA, minimizing the impact of change (name, address, legal status, &c).

And who’s in a great position to do all those things already? Google and Facebook.