Killing many birds with one stone
Sometimes, no matter how difficult it might seem, you just have to go back to basics. To solve a problem you have to go back to the root cause and deal with this root cause. And if you don’t, no matter what sticking plaster solutions you apply, the same old problems will recur again and again and again.
The need for structural, systemic reform
The root cause of the problems and issues we face with personal data today does not lie with the policies organisations may or may not adopt when collecting and using personal data, the regulations that govern these policies, or even the business models adopted. It goes much deeper than that, into the structure and architecture of the system itself — the fact that organisations have a monopoly on data collection and use and that individuals are excluded from being able to collect and use their own data for their own purposes.
That’s it. If we don’t address this issue at the level of its root cause (the very structure of the system itself), no reforms will ever deliver the solutions we need, and problems and pitfalls will continue to assert themselves across the board in multiple different guises and forms, whether it’s about fairness, safety and security, checks and balances of power, economic efficiency, or innovation and growth.
The National Strategy for Personal Data outlined in our last blog addresses personal data at the level it needs to be addressed — at a systemic level. In doing so, it kills many different birds with one stone. Below, we outline how it does this, delivering compelling benefits across the board along the way (we describe today’s status quo in ordinary type, and what’s possible today in italic type).
Status quo: ‘organisation-centric’ collection and use of personal data. Organisations collect data about individuals (e.g. customers) and use this data to pursue the organisation’s purposes and interests.
What’s possible today: New decentralised, distributed personal data infrastructure. While organisations continue to use personal data to provide services, every citizen is provided with their own bona-fide Personal Data Store and can collect and use their own data in pursuit of their own purposes and interests independently of any specific service provider.
Just to stress one point. The Mydex platform is built to operate at scale and is already up, running and in use (and independently certified under ISO 270001). So what we describe in this blog is not some pie-in-the-sky fantasy about some dim distant future. We could start using this already-built infrastructure today and the resulting benefits would come on stream with increasing momentum as adoption reaches critical mass. We are talking about real, practical, immediate operational potential, not theoretical dreams.
Status quo: Centralised. Data is collected into a relatively small number of very large centralised organisational databases, creating a data ecosystem made up of many ‘moated data castles’.
What’s possible: Distributed/decentralised. Data is also collected by millions of individuals in their own Personal Data Stores (PDS), creating multiple nodes in a data sharing network.
Status quo: Concentrations of data power. Large organisations like Google and Facebook achieve increasing concentrations of data power as they collect more and more data.
What’s possible: In-built rebalancing of power as increasing amounts of data are held by individuals and large organisations cannot gain access to this data (without expressed permission).
Status quo: Concentrations of wealth. Benefits of data collection and use concentrated into the hands of a small number of companies, thereby exacerbating extreme inequality.
What’s possible: Fairer distribution of wealth. Benefits of data collection and use distributed to every individual with a PDS whose data asset appreciates in value over the individual’s lifetime (rather like a pension).
Status quo: Data fragmented/dispersed. Most data is held in a small number of corporate silos but this data is fragmented — defined by the nature of the organisation’s activities. Facebook has huge amounts of social media data, but very little health or financial data. Tesco has data about what customers buy in its stores, but has no data about what they buy elsewhere.
What’s possible: Data integrated. Use of Personal Data Stores enables individuals to create a full, rounded picture of their lives (e.g. health, financial situation, etc) by integrating data from multiple different sources (enabled by GDPR data portability rules). This results in the creation of new never-seen-before data assets with immense potential social and economic value.
Status quo: Restricted availability. Organisations regard personal data as a strategic asset and source of competitive advantage. As the UK’s Treasury has recognised, organisations are incentivised to block the sharing of this data even with the individuals whose data it is, even though it could create additional value.
What’s possible: Increasing availability. By requiring organisations to provide an electronic copy of their data to individuals, GDPR opens the door to individuals being able to access and use this data for their own purposes.
Status quo: Restricted uses. Organisations use the data they have to pursue their own priorities.
What’s possible: Enabling innovation and growth. Making data available to individuals, and services working for these individuals, enables the creation of entirely new categories of personal information service which range far beyond the purposes prioritised by current data controllers. This is a potentially significant driver of innovation and growth.
Status quo: Geographic imbalances. Concentration of power and wealth largely located in one place: United States/Silicon Valley.
What’s possible: Built in geographical balance. Data collection and use is distributed appropriately, to wherever citizens happen to live.
Status quo: Duplication of effort. With individuals’ data dispersed across many separate data silos, each organisation duplicates multiple data collection and management processes, and continually reinventing wheels (such as establishing their own separate, identity management systems or terms and conditions for data collection/ use).
What’s possible: Minimise wasted effort. By enabling a ‘make once use many times’ approach e.g, for identity assurance or checking verified attributes such as entitlements or qualifications, Personal Data Stores remove large amounts of duplicated effort and waste from the system.
Status quo: Unnecessary complexity. Because each separate organisation is reinventing the wheel with its own bespoke data management processes, together they create the equivalent of a railway network based on multiple incommensurate railway gauges.
What’s possible: Simplification / standardisation. By enabling interoperability and standardisation of core processes (e.g. identity, Safe By Default consent systems) a PDS infrastructure removes large amounts of waste from the system, reducing cost, friction and effort for all.
Status quo: Poor quality. Because they operate in separate silos, organisation-centric data management systems have no automated means to check data or share updates with other parties. Dealing with the problems created by poor quality data is expensive, leading to frequent defaults to expensive manual processes.
What’s possible: Improved reliability. By enabling automated mechanisms for the sharing and checking of Verified Attributes (e.g. via APIs), a Personal Data Store infrastructure cuts data management costs and improves system efficiency by enabling increased automation of data processes.
Status quo: Poor data security. Large centralised databases create ‘honeypots for hackers’, leading to multiple data breaches and undermining trust in the system.
What’s possible: Increased safety. Because each individual’s Personal Data Store is separately encrypted, a PDS-based data infrastructure minimises rather than maximises data safety risks.
Status quo: Exclusive. Organisations are the only entities with the practical ability to collect and use personal data, thereby excluding citizens from participation in the data economy.
What’s possible: Inclusive. By enabling and empowering every citizen with their own data a PDS-based infrastructure builds inclusivity into the workings of the data economy.
Status quo: Privacy invading. To maximise commercial and competitive advantage, organisations are incentivised to collect as much personal data as they can, and to game consents and permissions processes to let them do so.
What’s possible: Privacy protecting. By giving individuals control over who has access to their data for what purposes and by using standardised Safe By Default terms and conditions, PDSs safeguard rather than undermine privacy.
Status quo: Conflictual. Corporations seeking exclusive control over data for the purposes of profit maximisation have turned personal data into a battle ground of vested interests.
What’s possible: Mutually beneficial. Bona fide PDSs, which build individuals’ control over their own data into all data collection and sharing processes, enable more cooperative approaches to data sharing and use.
Status quo: Trust eroding. Because of all the above issues, including imbalances of power, unfair rewards, exclusivity, lack of security and threats to privacy, the current organisation-centric approach to the collection and use of personal data is undermining the trust the system needs to work.
What’s possible: Trust building. By tackling all of these issues, a PDS-based infrastructure builds rather than undermines the trust needed for a digital economy to flourish.
The blind men and the elephant
As the old story goes, when a group of blind men touch different parts of the elephant they each end up with a different story to tell about its attributes: the hard smooth tusks, the flapping ears, legs like tree trunks, the flicking tail, the whale-like body.
Likewise debate about personal data tends to gravitate to one angle at the expense of another. Some people focus on the opportunities for innovation, others on concentrations of power, others on intrusions into privacy, others on efficiency, others on civil liberties implications, and so on. Almost invariably they end up talking at crossed purposes.
But as we’ve shown above, addressing personal data in the right way, at a structural, systemic level, addresses all of these issues at the same time, in a positive mutually reinforcing way. It really is time we got a move on to make it happen!