Cracking the problem of consent
Rightly or wrongly, consent — what it looks like, and how it works — lies at the heart of today’s personal data landscape. From May 2018, Europe’s new General Data Protection Regulations will tighten the rules surrounding consent. From then on, ‘consent’ will only be valid if it is “freely given, specific, informed and unambiguous indication of the data subject’s (i.e. person’s) wishes by … a statement or clear affirmative action”.
Just how this new rule will be interpreted and enforced by regulators remains to be seen. But as Tom Steinberg points out in a recent blog, the new tightened rules are not a panacea. As Tom observes, individuals are being bombarded with an increasing number of consent requests, each one requiring unrealistic levels of knowledge of the implications of sharing different types of data with different types of organisation. Giving consent imposes a burden of work on the individual and individuals are signing their rights away by giving consent to everyone who asks for it.
Tom’s solution is the creation of what he calls ‘Personal Data Representatives’: experts who understand the ins and outs of data to help individuals make the right decisions.
We at Mydex have been working on this idea for many years. Our goal is to create a system where individuals are protected against abuses of their data automatically and by default, without them having to invest huge amounts of time and effort into the process.
That’s easy to say, but for it to work it needs to address a key set of capabilities that we are incorporating into our Consent Management service. For such a service to work it needs to be able to:
- deal with any type of data in any format
- connect with data regardless where it is held or where it is needed.
- support a diverse range of protocols and standards and act as an interoperability service to reconcile the diverse sectors, use cases and initiatives and different stages of maturity e.g. Health Data Sharing strong on messaging standards, Open Banking APIs new protocols and standards, Open Energy APIs
- ensure the individual has their own records of all transactions the service deals with and processes, whether they were directly involved or not
- allow the individual to modify and create new policies of their own
- provide monitoring, information and ratings about performance of those using the services and individual’s data
- manage the other requirements around transparency through collection of things like data usage reports
- automatically analyse stated intentions of use and compare to the organisation’s actual behaviours
Such person centred services are exciting because they build the foundations for an individual to operate within the digital economy assisted by intelligent agents that are working for them, protecting them, advising them and guiding them. There’s a huge amount of hype right now about how artificial intelligence (AI) is going to change the world. But the AI we are talking about is AI with a crucial difference: it is personal AI, AI working for and on behalf of the individual — not a for a corporation undertaking an ongoing data landgrab.
This raises two questions that Tom’s blog doesn’t fully answer. First, how will such representatives/agents cover their costs and make their money? Second, as soon as you have expert representatives, or agents, you have an alignment problem: how to ensure that the representative/agent is actually truly working for the individual and not for themselves or some other party? How do payments and incentives work to make sure that the agent/representative doesn’t become a part of the problem rather than part of the solution?
We’ve thought about this problem long and hard. It’s why we chose to be a Community Interest Company — because we are determined to build such alignment into the very fibres of what we do. As a CIC, we are not in the business of making money out of people and their data. We earn our money by helping individuals manage their data, including consents about their data, in such a way that builds trust and streamlines safe data sharing between themselves and the organisations they deal with.
‘Consent’ was supposed to be a way of protecting and empowering individuals. Unfortunately, it became a stick to beat them with, for the reasons elucidated by Tom. We absolutely agree with Tom — the way forward lies in agents using advanced technologies to work on behalf of the individual. We just have to make sure they really do work on behalf of the individual, both technically and commercially.