Privacy: Straitjacket or competitive advantage?

Personal Security

In 2012, Neelie Kroes, then the vice president of the European Commission, referred to data as being ‘the new oil’. Her definition underpinned a belief that the impact of data would be as profound as the oil industry had been on our world and the economy over the previous 150 years. Just five years after Kroes’ announcement, The Economist supported her prediction by announcing data as the world’s most valuable resource in 2017, trumping the black stuff. This was declared given that the collective net profits of Alphabet, Amazon, Apple, Facebook, and Microsoft had stood at more than $25bn in just the first quarter of the same year. 

Despite its value, there is evidence to suggest that many organisations and businesses take for granted what is arguably the most important data asset – the consent and data permissions of the individual that provide them with access to the data and rights of usage. 

Data, remember, is simply defined as meaning facts and statistics collected for reference and analysis. Academic Meredith Loken elaborates on that, defining data as “everything from personal data like age, gender and height, to data collected from sensors on ships or from the production process in a factory. You’ll find data in words, pictures, sound, ideas, facts, measurements, statistics, or anything else that can be handled by computers, broken down to binary numbers, 1s and 0s.

While data creates economic competitiveness, the comparisons of data being like oil creates tension for academics and experts alike. Indium Software’s Vaibhavi Tamizhkumaran argues data can no longer be metaphorically compared to oil given that data is essentially infinitely renewable whereas oil is a finite resource. Alec Stapp of the Institute for Progress applies a more simplistic perspective, arguing that the comparison “has become the dumbest meme in tech,” for comparing data to the physical world is “fundamentally flawed”. He concludes, “people who analogise data to oil or gold may merely be trying to convey that data is as valuable in the 21st century as those commodities were in the 20th century,” which is, perhaps, the most accurate summary of all. Regardless of your view, one argument that should always hold true on both sides is that, to quote British mathematician Clive Humby, “like oil, data is valuable, but if unrefined, it cannot really be used”.

Humby is credited as being the first person to introduce the idea of data being the new oil, and unlike Kroes, his comparison was applied with a different lens. He was less focussed on the economic impact of the data industry on society and more focussed on how data needs to be refined or cleaned for its true value to be unlocked. His argument that, like oil, data cannot unlock value in its raw state is fundamental, and should focus the minds of any organisation or business who might believe that by accumulating large quantities of data they have value. 

One fine was issued for £1.48m following 25 complaints from individuals that their personal data was being used without permission

The truth is, it’s simply not enough to have data. To unlock value, organisations and businesses must implement a robust data strategy that enshrines a commonly understood and consistently executed set of rules and behaviours for managing data. An effective data strategy must be underpinned by four principles: provenance, preparation, protection and privacy. 

Provenance, also known as data lineage, is metadata paired with the records that detail origin, changes to, and the details supporting, the confidence or validity of data. Data preparation, meanwhile, is the process of gathering, combining and structuring and organising data so it can be used in a meaningful way. 

As for the tenet of protection, the ICO says this is “ensuring people can trust you to use their data fairly and responsibly,” which requires organisations and businesses to keep their customers’ data safe from theft and loss. There is evidence to suggest that businesses and organisations see protection as meaning privacy, and whilst they are described by some as ‘kissing cousins’, the terms privacy and protection should not be used interchangeably. Whilst protection is focussed on security of data, privacy relates to its governance i.e. how data can be shared and used. 

A failure to understand the difference between the two can leave organisations and businesses exposed to risks that their data protection strategy will not save them from. Such risks include regulatory fines, reputational and economic damage, and loss of customers and consumer trust. For those that do recognise the distinction, there is clear evidence that the existing privacy strategies of today might not go far enough and the technologies that are typically used to underpin them are not fit for purpose. Simultaneously, many privacy strategies fail to consider the changing dynamics of an increasingly interconnected and open data world, which will limit the competitiveness of organisations and businesses in the future.

Some organisations and businesses have seen privacy as nothing more than a ‘tick-box’ exercise or something that must be done to appease the demands of the regulator. As such, obtaining important regulatory requirements such as garnering the customer’s consent is seen as something of a ‘given’ and there is little regard for how this part of a customer journey can be used to unlock a more granularized view of how the customer wishes for their data to be shared and used. 

This is exacerbated when we consider that the consent of a customer is often stored on platforms and technology that can be remastered and changed, creating multiple records of the customer permissions that demonstrate differing data permissions as time progresses. As such, organisations and businesses become locked out from using their data over time as they have no single view of how to use it, whilst they also prevent themselves from gaining access to new sources of clean data which a robust privacy management strategy might afford them. 

As the founder and CEO of a company that has developed its own consent and permissions management software, we have found instances where some organisations and businesses have been unable to process and use 100 percent of their customers’ data, and due to the regulatory concerns it has caused, their default position has been that it might pose too much risk to the business to market to their customers, denying themselves future opportunities of revenue.

For the organisations and businesses willing to risk using data without the relevant consent and permissions, they should become increasingly aware of the growing teeth of regulators around the world, which show such an approach will not be tolerated.

Recent examples include the UK’s ICO issuing a £40,000 fine to one company after receiving just five complaints about e-mail marketing campaigns that had contacted them without valid consent. A second fine was issued for £80,000 following the same number of complaints made about predatory marketing calls without consent, whilst another fine was issued for £1.48m following 25 complaints from individuals that identified their personal data was being used without the relevant data permissions. In Europe alone we have seen more than 1200 fines issued to organisations for breaches of GDPR, totalling more than £2bn. 

Some organisations and businesses are trying to solve these problems by creating large data lakes for their data permissions to be stored; however, these permission lakes will be limiting for multiple reasons. At the same time they will not allow the organisations and businesses doing this to participate to their full potential in an open data economy that requires customer data to be shared by multiple parties across a network. As such, this approach to data is creating future experiences for their customers that will ultimately lead to friction, limiting engagement opportunities and their future revenue potential. 

As global regulators lean towards supporting data sovereignty and organisations, and businesses contend with the emerging threat of web3 platforms that enshrine data sovereignty as a principle, the need for more robust and forward-thinking data privacy strategies will become increasingly prevalent for those wishing to win the trust of their customers and compete in the future. Furthermore, organisations and businesses will also need to think about themselves not just as a single entity, but as a party within a network. This is particularly so as open data initiatives become increasingly prevalent and mature. 

As a result, enterprises will need to think about whether their existing privacy strategies allow them to participate in the open data economy or instead hold them back like the proverbial straitjacket.    

Wayne Lloyd, founder and CEO, Smarter Contracts