Once a Silicon Valley darling, DNA testing company 23andMe has now gone into administration—leaving behind not just a troubled balance sheet, but a trove of highly sensitive personal data. Millions of customers entrusted the firm with their genetic information, family histories, and health predispositions. Now, the burning question: what happens to that data?
The debate has ignited fears over data ownership, consent, and corporate accountability. In the UK, administrators are bound by GDPR, but the worry remains that valuable genetic data could be sold to settle debts, repurposed without consent, or exposed through weak security controls.
This situation highlights a deeper issue: data stewardship isn’t just a technical obligation—it’s a moral one.
Companies handling sensitive personal data, especially of the genomic kind, have a duty to manage it with care, clarity, and long-term integrity. That includes clear opt-in/out pathways, strong encryption, regular hygiene practices to purge old or redundant data, and robust governance policies for the worst-case scenarios—like insolvency.
The collapse of 23andMe should serve as a wake-up call for all businesses. Collecting customer data—especially intimate, immutable data like DNA—comes with a weighty responsibility. It’s not enough to promise security when times are good. Organisations must be prepared to protect customer trust, even when they’re closing their doors.
Poor data practices put trust, reputations, and lives at risk. The 23andMe fallout proves that when companies fail to plan for data continuity—or ignore basic hygiene—customers pay the price.
In an age where data is identity, businesses must do better. Because protecting data isn’t just a technical job—it’s a human one.
