Rewarding Data Controllers
A radical idea for stopping personal data turning toxic.
Customer data as an asset is turning toxic.
Where only a few short years ago the best advice to business was to hoard it jealously as the font of future profit, now organisations are starting to consider offloading their customer data.
In this article we explore this shift of attitude toward personal data, from asset to liability, its causes, the questions worth asking, likely implications, and the one radical idea able to reverse it.
Data as an asset
The concept of Big Data came to prominence just a few short years ago. It combines the known phenomena of rapidly increasing amounts of data being generated, together with the promise of an improved ability to extract valuable insights from it when analysed.
From this combination came predictions of massive improvements in productivity and profits. Big Data became a management consulting catchphrase.
The growth in data has arguably outstripped our improving abilities to extract value. Much data remains “dark”. It’s estimated upwards of 80 percent of all data remains unimproved, in its raw form.
The anticipated torrents of value and wealth extracted from data has not yet materialised.
But our inability to convert data into wealth at the rate first expected is only part of the reason attitudes are changing. While it is yet to grow into the asset we first hoped, it’s on the other side of the ledger, as a liability, that personal data has recently blown out.
Data as a liability
There are two types of risk surrounding personal data that are becoming much more pronounced and are helping turn it into a liability.
One is reputational risk.
The list of large hacks and data breaches keeps growing. Notable examples that have caught our attention include those announced by Yahoo in 2016 and Sony in 2014. Most recently we’ve seen a data breach of 145 million customer records at Equifax.
Breaches are bad for the bottom line and market confidence. The Equifax breach, together with their bungled response, caused a drop of as much as 32 percent in their stock and $4 billion in lost market capitalisation.
The other is risk is regulatory. The law as it applies to the storage and processing of personal data.
Nowhere will this risk be more pronounced than for anyone doing business in the European Union come May 2018.
The fines built into the new EU General Data Protection Regulation (GDPR) are unprecedented. Organisations caught mismanaging or unlawfully processing data will be liable for fines up to €20m or 4 percent of global revenue, whichever is the higher.
On top of these risks, the GDPR is also comprehensively demolishing the moat business has erected around the data they hold on their customers. The people of the EU will have:
- The right to a free, easily machine readable copy of their personal data profile upon request.
- A right to request one organisation with our customer data shares it directly with another, even a competitor.
- A right to our data being erased upon request,
- A right to be informed by an organisation if they data they hold has been hacked,
- And, any organisation wishing to process our data in any way, has to first receive our express permission.
All of this comes into effect next May and applied not just to European businesses, but anyone with a European customer.
Questions
At this point, there are some questions worth asking.
Without the benefit of a moat and the hefty fines, what is the point of any business holding on to any more than the bare minimum of customer data necessary?
While making requests for our own data free of charge lowers a barrier to realising a right, what are we losing with the removal of a price signal where personal data is a tradable commodity with its own established market?
Moreover, is it fair? In a post GDPR world, individuals will inevitably be able to trade and receive revenue on data obtained for free. Do data controllers have a claim on these revenues when they’ve played an integral role in the creation, capture and storage of the asset sold?
Implications
Hefty fines for data mismanagement and breaches, and the dismantling of the protective moat built around customer data removes any sense of data as an asset beyond that required out of operational necessity.
The implications of personal data turning from asset to liability are significant and entirely predictable.
Anyone holding customer data, referred in the GDPR as “data controllers”, will seek to limit their exposure to a large risk and growing liability. Already the advice given to business to achieve GDPR compliance is to actively reduce the amount of data held. As a recent and more extreme example, JD Wetherspoon, owners of a chain of pubs across the UK, suffered a data breach and responded by deleting its entire database on 700,000 customers.
The deletion of data is a suboptimal outcome. For businesses, but also for their customers. Less data is value lost to the individual.
So the very same set powerful provisions in the GDPR that will lower the barriers inhibiting individuals realising their data rights, may have the perverse, unintended consequence of dramatically reducing the total amount of personal data we can possible reclaim.
Few rights over a lot, or many rights over not much? It’s an unappealing trade off, made worse by how hard it is to calculate.
But it’s ultimately a trade off the people of the EU needn’t even make.
A radical idea
The solution is enabling individuals to reward those organisations who capture, collect, store and are required to provide us free access to our own personal data. These “data controllers” are our banks, insurers, search engines, social media platforms, and as we’ve seen, also our local pub.
But individuals needn’t reward data controllers in every instance.
To be specific, personal data should be free to request in all cases, but where personal data is requested and then used by individuals to create financial value, we should have the opportunity to recognise and reward the integral role data controllers have played in getting our asset to market.
Data controllers play an irreplaceable role in the personal data value chain. Not rewarding them for this role will likely lead to less and lower quality personal data being captured and made available to individuals.
So we should choose to reward data controllers as a matter of fairness. Compensating them for the energy and resources expended.
But we should also do this as means of encouraging data controllers to not just collect, store and make available more quality personal data, but also to incentivise them to improve and transform our data from a raw product into valuable knowledge and insight, so when sold, both they and us stand to earn even more.
For all other non-financial purposes, where we use data for personal and social ends, for example to better understand ourselves and the communities to which we belong, to participate in politics or to find a potential partner, we should be under no obligation to reward data controllers.
In practice
Ever noticed having researched a holiday destination that relevant ads appear almost instantaneously in your social media feed? You might then have a sense of the existing market for personal data, where new information about us is continuously sucked up, added to our profile, packaged and sold.
And you might not recall ever giving your permission for this process.
The GDPR is causing enormous headaches for data controllers trying to remain compliant, but it’s having an even greater impact on data brokers, the small group of very large companies you’ve never heard of, responsible for purchasing, processing, packaging and then selling on our data.
As of May 2018 they’ll need the permission of every EU citizen for each of their actions. To do so, they’ll have to either come out of the shadows and establish a relationship with each and every one of us, or find an intermediary we can trust to do their bidding.
The new services of the post-GDPR world
Whether they’re the creation of existing data brokers or new market entrants, the GDPR will likely lead to the emergence and proliferation of two new services:
- The personal data store, and
- The personal data marketplace.
With empowering the individual central to their design, the former will give us the ability to collect, assemble, interrogate and manage our own personal data, while the later will enable us to permission the use of our data for a fee. You should expect to see both services often combined as a single platform.
Crucial to the success of these new services is securing a supply of quality data. As the market for permissioned personal information matures, the quality of raw data into and insights out of a platform will become key.
Dealing data controllers into marketplace profits turns their view of personal information from liability to financial opportunity. It creates an incentive to supply raw data, but also to transform and add further value to data on behalf of the individual so that it’s even more valuable at the point of sale.
After multiple breaches and hacks, data controllers, be they governments or corporations, have lost our trust. Rather than be exposed to ongoing reputational risk, this is an opportunity to restyle themselves as our partners, in realising both our rights and the value of our data assets.
A radical idea in action
At Worldview we’re designing a personal data store and marketplace, where the data controller is rewarded with a percentage of revenues on data sold by individuals that they’ve captured, collected, stored or transformed.
It’s a design made possible by new technologies.
Securing and facilitating a personal information marketplace is an oft cited blockchain use case.
Blockchain offers the ability to encode self-executing contracts between individuals and data purchasers, ensuring adherence with best-practice data processing principles, including compliance with the permission requirements of the GDPR.
And a key strength of blockchain is the ability to trace the ownership and movement of assets along a supply chain. So with blockchain, we’re able to indelibly attribute a controller to data, and thus reward them for their efforts whenever it’s sold.
We’ll be sharing more detail on the Worldview design shortly here on Medium. Follow us or subscribe here to ensure you don’t miss any of our announcements.
