By Iain Henderson
I’m spending a lot of time right now down in the weeds of a large GDPR project; it’s hard going. The issues are not the usual suspects -budget, resources or even timescale. The problems are two-fold. Firstly there is a lack of precision in the regulation; that is probably understandable given the vast scope of the regulation. More high impact though are the in-conclusive nature of many of the decisions to be made:
- How do I segment my base to optimise the outcome given that I could do it many ways? This is really about choosing which bases for processing, considering the upsides and downsides associated with each option, and then picking which to deploy in the knowledge that compromises will be made.
- What volumes should we expect in terms of customers exercising their new-found rights; i.e. to what extent do we need to gear up and build new capabilities? This is also a bit chicken and egg, we have to make some pretty big assumptions, and then live with the consequences.
That particular project will find its own answers with some pretty complex technical solutions and a bit of juggling with a mix of bases for processing. Many data records will be lost/ deleted along the way, and that’s likely a positive thing. And that’s about as good as it gets when looking at GDPR from the organisational perspective – with each organisation running their own equivalent.
That’s what led me to my title for this piece; namely that old Irish joke…., ‘how do I get to XXXXX….?, well to get to there I would not start from here’. What’s that got to do with GDPR you may well ask….?
My point is that if GDPR has the fundamental aim of enabling individuals to take control of their personal data, then I would not start by focusing my regulation exclusively at what organisations should/should not be doing. There has to be something in there that looks at the wider set of capabilities required by an individual to take control of their data.
I’m saying that if you want to enable and empower individuals with and around their personal data then one cannot assume that individuals only have what they have now - smart phones, apps, browsers and supplier by supplier accounts. To genuinely control their data, individuals need to have at least some capabilities fit for that purpose. Those tools have to be built on the side of the individual, they cannot be otherwise without loss of ability to meet that core objective. If we assume no more than smart phones, apps, browsers and supplier by supplier accounts then we just don’t get there with GDPR. The regulation will at least partly fail, and be looked on retrospectively like a bigger and uglier version of ‘the cookie’ law with its many meaningless pop ups and unnecessary clicks.
So, if we follow that logic for a bit, what would actually be built on the individual side? How about a tool-set that enables me to do the following in the same way across all of my data sharing relationships with organisations irrespective of their technical platform:
- Understand, before I share data, the basis and terms under which the organisation wants my data, what types of data they want, what they wish to do with it, and who they wish to share it with.
- Where I have gone ahead and shared data, get a receipt for that shared data showing what all those involved have signed up to. This receipt to be in a format that machines can read it, and it should be permanently stored somewhere in case I need to use it down the track.
- Have ongoing access to the data I have shared, and all data then related to it by my suppliers and ‘things’ so that I can re-use it, correct or update incorrect data, download or share a copy of it, withdraw consent for its use, express preferences around specific uses such as being profiled or subject to decisions made by machines, and ultimately ask for my data record to be deleted where that is a valid option.
- Aggregate, combine, voluntarily build upon and, should I wish to, share the combined data from across all or a sub-set of my data sharing relationships. Doing so under my terms and control so that over time my data on me becomes by far and away the best view of me available (in terms of both richness and legal compliance of the data record).
If it was possible to build such capability on the side of the individual, the it would make the task of ‘controlling my personal data’ much simpler, much quicker, with much more value-add. Ultimately this would mean much greater uptake of the desired outcome; i.e. a lot more people in genuine control of their personal data. And better than that, the whole GDPR compliance process would get a whole lot easier than in my example above using a single JLINC protocol based utility, organisations could address ALL of the rights that individuals hold under GDPR.
- Right of information ✔
- Right of access ✔
- Right of rectification ✔
- Right to withdraw consent ✔
- Right of data portability ✔
- Right of erasure ✔
- Right to object ✔
- Right to restrict processing ✔
- Right to not be subject to automated decisions ✔
What’s not to like about that? Same processes, same user experience, deployed in the same way across many brands, apps and services.
That capability now exists -the JLINC Personal Data Service built on the JLINC protocol for permissioned data sharing. Sure, it’s early for the service and the protocol, but we believe the fundamentals are solid and the upsides are massive. So let’s not get too hung up on applying the GDPR sticking plaster. Well-meaning as it is, and a valuable counter to the massively damaging ‘data is free’ current modus operandi, it’s going to result in that very poor user experience for individuals who have to wrestle silo by silo with each organisation’s GDPR approach. In turn this can only lead to mass ignoring of ‘please opt in’ emails, switch off of data sharing and enormous use of ‘do not consent’ and ‘delete my data’ buttons.
I believe that it’s time to move beyond GDPR, move beyond negative outcome data sharing relationships for the individual, move beyond ‘I consent’ or ‘you justify’. Genuine, permission based data sharing with the necessary checks and balances in place is a positive sum game for all market participants other than the bad actors who will be exposed and at best massively reformed. Good actors will benefit from improved data quality and content, a clearer basis for using data, and most importantly improved customer relationships.