The Awakening of Data Privacy?
In this latest digital revolution, access and control of personal data will be more important than ever before.
Introduction
We are on the cusp of a digital revolution where massive amounts of data will be collected and processed about everything at all times. Current data collection and processing methods don’t adequately address data confidentiality concerns, and have little to no mechanisms in place for data ownership and control. In response, the EU is implementing the General Data Protection Regulation (GDPR) on May 25, 2018, which begins to comprehensively protect user data. For businesses of all sizes, and across all industries, the technical challenges are substantial and many won’t be ready. While GDPR is a step in the right direction, consolidating users’ personal data has its own set of inherent risks, so there is a critical need for a new set of tools that can ensure the transition to a democratized data future that is secure and private.
Digital revolution
We are entering the fourth industrial revolution: a seamless blend of the physical and digital worlds. Profoundly detailed digital representations of physical world objects — digital twins — will emerge in industry and for individuals. Even today, at the beginning of this revolution, personal characteristics such as your entertainment and news preferences, communications, health information, relationships, locations visited, and financial information are already being collected and processed.
The latest forefront is being driven by the Internet of Things (IoT), with its remote sensing and actuation capabilities. These capabilities are becoming a critical part of our world and an extension of our senses. The IoT holds the promise of measuring, sensing and interacting with everything, everywhere, all the time; thus enhancing our lives with automated, data-driven decisions. In short order, virtually everything, everywhere, will become “smart”. With this sea change, we need to ask ourselves a critical question: who should own and control this increasingly detailed and private data?
Data harvesting
In the current Internet era, we are generating massive amounts of personal digital data that trail behind us in our daily wake. Soon we will be leaving even more thorough and detailed digital traces of ourselves: much greater, and more sensitive than we ever did with just the Internet. Estimates suggest that in 10 years there will be 20 IoT devices for every person on the planet. With this amount of networked sensors, data will double every 12 hours (The Future Information Society: Social and Technological Problems, Wolfgang Hofkirchner, Mark Burgin World Scientific, Jan 24, 2017).
Many companies have been founded on the premise of collecting and processing data to resell to third parties, sometimes with minimal consideration, consent, or respect for the generator of the data. While most of the data collectors are legitimate, informed consumer consent is questionable. Consent has often been based on obfuscating how to “opt-out”, our inability to genuinely comprehend lengthy agreements, and perhaps most importantly, our desire for the product or service with little regard to the privacy we are trading in exchange.
The recent Equifax breach brings to the fore another level of consent: third party. Equifax collects financial data on US citizens and helps streamline business dealings. However, as an individual, did you consent to Equifax gathering and processing much of your most personal data, and by so doing, putting your consolidated personal data at risk?
Recent market strategy to collect as much data as possible and turn Big Data into Big Money needs to be re-envisioned, so an individual’s and business’s right to data sovereignty is at the core. Data is power, so it is crucial that individuals and businesses have the right to stay informed about what data is being gathered, why it is being collected, who is collecting, and how this data is being used.
Government regulations
These facts have not gone unnoticed by governments and regulatory bodies. Fortunately, the Wild West style of data collection is coming to an end, at least for consumer data originating in Europe. On May 25, 2018, the General Data Protection Regulation (GDPR) will gain legal force to give consumers greater control of their data with potentially enormous consequences for businesses that don’t comply: €20M or 4% of revenue in fines, whichever is greater. At the core of this regulation is the democratic belief in the fundamental human right to personal data privacy combined with real enforcement sanctions.
Some key provisions of GDPR for businesses to note:
- “…shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language…”
The ability to hide behind an “all-encompassing” agreement is over and supplanted by the right to be informed. Now, companies have to be crystal clear about what data they collect, why, and how they are using it.
- “…collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…”
Most notably, the regulation forbids the collection of “arbitrary” data. Data collection and processing have to be specific and have a legitimate purpose. For example, an autonomous vacuum cleaner collecting information on your home activity is a likely violation.
- “…[the] right of access, to rectification, to erasure, to data portability, to object and data expiration…”,
While technically intense, these rights are relatively straightforward and explored in numerous articles.,,,
- “The right to restrict processing”
One of the trickier rights to implement, especially when portions of processing and business logic are embedded in databases. Today applications pull and push the data, and processing occurs in various parts of the system that are subject to independent updates and not necessarily controlled by the company gathering the data. Under GDPR, the collecting company needs to show and provide a control mechanism to comply.
- “Right not to be subject to a decision based solely on automated processing”.
This is perhaps the most interesting and relevant to the emerging Machine Learning (ML) and Artificial Intelligence (AI) markets. With enterprises buying Analytics Platforms and Business Intelligence tools as a service, companies may not even know when the data has been processed using ML/AI algorithms.
Challenges
GDPR’s intentions are laudable and are the nascence of genuine personal data sovereignty. To get there will be a bumpy process as the courts clarify legal interpretations and businesses struggle with the technical and cost challenges. Approximately 65% of US companies will spend between $1 to $10 Million on compliance, yet 50% of them will miss the GDPR deadline.
Currently, most enterprise data is scattered through tens of systems, applications, databases, and often an array of ML, AI and similar services (consider analytical platforms that ingest data and process it on behalf of the company or even database as a service). These existing solutions will need to be mapped and organized to expose what data is collected and provide control mechanisms, informing how data is processed and most critically provide means to disable it.
Perhaps the most significant and pressing challenge is oversight: who will guard the guardians, and will our data be secure? Today, personal data is spread across hundreds of databases, unstructured, managed in hundreds of different ways and guarded by business interests; making it hard, if not impossible, to do mass analyses and surveillance. Ironically, while protecting the data, GDPR extends the attack surface and consolidates the data. With technology in place that allows you to see and control every aspect of your data, somebody else can potentially also have that same, easy and structured access.
Bright future
We believe in and are working towards ensuring a brighter future where data enhances our lives while respecting individual privacy, and welcome GDPR as an opportunity to become a more empowered, open and transparent society. What’s at stake is our rights as individuals in a democratic society. GDPR’s key tenets benefit everyone, providing clarity and transparency on what data is collected, how it is processed, providing control mechanisms, and controlling when decisions about us are made by machines.
We envision a future where data agreements are balanced and fair for all parties. Data agreements must become a more transparent and clear exchange of information between parties. We envision a future that limits single entities from aggregating all our data in a single place, to a future where your data is distributed everywhere, securely, yet fully under each individual’s and business’s sovereignty. We envision a future where your digital twin and data sovereignty are protected and managed by digital assistants, that will enhance our lives in ways we can only begin to imagine.
We believe that GDPR is an opportunity for companies to transform their digital and conventional IT operations to an integrated operational model, rather than just “patching — IT”. This will enable companies to innovate faster by making their data actionable faster, at-scale, and cost effectively.
Our mission
At harmony.ai, we’re on a mission to democratize and secure data while ensuring data privacy. Today we are building next generation software tools and services enabling companies to adopt integrated operational models. We are reducing the complexity of large scale distributed systems by automating software development, data privacy and security, and enabling interoperability with legacy systems.
With just over half of Fortune 500 companies dropping off the list since 2000, and an estimate from Cisco CEO John Chambers noting that 40% of the Fortune 500 will be defunct in the next decade because of their inability to adapt to the digital transformation, one thing is clear: change is no longer optional — it is the key to survival.
How will you handle the digital transformation?
