GDPR can foster innovation and breed new business models
Compulsory data diet boosts privacy and information security
The European General Data Protection Regulation (GDPR) is often regarded as suffocating business and as a barrier to technological innovation. However, there is another side of the coin. The GDPR strengthens the role of privacy and information security for organizations. This creates opportunities for innovative applications excelling on those aspects.
By Ton Monasso and Marijn Janssen
Legislation is often regarded as being too restrictive by companies and only result in more bureaucracy and less innovation. On the other hand, legislation is often the product of a societal need. In the GDPR case, this is a better protection of the privacy of the weakest actor — the citizen. The regulation will induce change in companies, governments and other institutions. The power balance will partially move away from these actors and shift towards the citizen.
From the position of an individual company, the GDPR may be experienced as an additional burden. From a system perspective, these developments breed new and improved practices of dealing with data. The traditional perspective is primarily concerned with the additional investments ‘imposed’ by regulation. A n alternative view recognizes the opportunities for entrepreneurs and new market entrants to offer innovative services and reshape the market.
The biggest challenge for companies is to adapt their infrastructure and business processes for GDPR compliance, though they have never been developed with this requirement in mind. Limited adaptions of existing practices and systems will often not result in full compliance or will need disproportional investments and result in high complexity.
Complying with the GDPR may induce a fundamental revision of the underlying economic and technological models. The ubiquitous collection, long-lasting storage and numerous combinations of ever growing loads of transaction data is a crucial mechanism for many big data applications. Huge databases have not only fueled business models, but brought severe privacy and information security risks with them. Now the GDPR gives birth to a situation where economic models have to be based on a much more restricted set of data collected and processed on a need-to-know basis. Instead of using massive amounts of memory and processor power to harvest big data sets for patterns (whether useful or not), the economic model needs to be established upfront. Innovation is a necessity now that a hit-and-miss strategy is no longer feasible. The simplest trigger for this innovation will be businesses asking for it, facing financial risks complementing their legal responsibilities for unmanageable data collections.
Technological models will turn as well. The fragmented IT landscape regularly fails keeping track of where data is stored, let alone their incapability of permanently removing it. The predominant drivers, until recently, have been functionality and performance. Easy access to much data has been key. Moreover, new systems have been added to the landscape time after time, without contemplating how to deal with privacy and security risks at a more fundamental level.
The transition won’t happen overnight, nor will it pass without trial and error. Current players will try to renew and new players will try to compete. Radically new models tend to underperform in their early phases, but outperform their vested rivals eventually. Expecting them to perform perfectly at once is unrealistic; new concepts need time to gain mass and need to learn from experiences.
Since the new models are fundamentally better aligned to privacy and security, they will better match the customers’ needs. New practices may be more effective, cheaper and less prone to security risks. Surely, it is much easier to work with systems designed to use only those data that are really needed, than keep patching up old software and business models.
Innovations require investments. Many organizations — both at demand and supply side — see which way the wind is blowing. They may be lulled into a wait-and-see mode as long as it is unclear whether incentives for GDPR compliance will exist in the long run. Nevertheless, it does not seem to be particularly wise to act on legal incentives only. The discussion in society at large suggests privacy and security are serious factors to take into account. Chances are that privacy may undergo a trajectory similar to product safety. There is a market for cars whose safety goes above and beyond the legal requirements; why wouldn’t one emerge for apps and cloud services operating on a healthy data diet? An organization that starts early and learns from experience, will be the first to break through. Later or soon.
Ir. Ton Monasso is senior consultant at PBLQ. Prof. dr. ir. Marijn Janssen is full professor in ICT & Governance at Delft University of Technology. Both act as tutors in the module “Information management & Design” in the Master of Public Information Management, offered in The Netherlands.
