Data Protection Gets Personal

Data protection in the digital age

D/SRUPTION interviews Toby Stevens, Global Data Protection Controller at consumer goods company Pladis…

It’s time for a data check up. Over the entire course of human history up to the year 2000, we produced five exabytes of data. That’s a fairly large amount, you might think – five billion gigabytes. Yet by 2010, we began to produce that same amount of data every 10 minutes. As the influence of technology on our lives continues to grow we are becoming more connected than ever, and the amount of data we create is only set to increase.

At this year’s Disruption Summit Europe, Nell Watson of Singularity University said that we are drowning in data, and that this is a good thing. But what is happening to all of this information? How can we ensure that it is used effectively, and in a way that protects our personal privacy? As the reach of data expands so does our need to manage it appropriately.

We’ve lost control

Toby Stevens, Global Data Protection Controller at consumer goods company Pladis, takes a sceptical outlook on the current availability of large amounts of personal data, because it is extremely difficult for us to understand how this is collected, stored and used. “We can’t control what we can’t understand,” he explains. According to Stevens, this threatens our privacy as individuals.

“At this point,” he says, “the cat is out of the bag, and the implications of this loss of control are only just being understood. This is evidenced, for example, by the likes of the Cambridge Analytica scandal. For most individuals – even the regulators – the usage of their personal data by social media companies and the implications of that usage are too complex and too abstract to comprehend. In that environment it’s immensely difficult to effect any control over how personal data is used.”

But what about the business benefits of data? Companies use personal data to better understand their consumers, create products and services, and ultimately drive growth. So more data should equal more desirable business activity. Isn’t this good news for us all?

“From the business side, obviously data proliferation presents opportunities,” says Stevens, “but only if you can manage that mountain of data. If the valuable data is effectively a needle in a haystack, and the haystack just keeps getting bigger, it becomes much harder to extract the value. Some argue that more powerful tools are needed to find the needle; others that the best thing to do is to burn the haystack down.”

Large amounts of data, then, are only valuable in business if relevant insights can be extracted. The current operating method for companies to collect data by default, without a clear purpose in mind, is actually hindering their efforts. If businesses want to avoid burning down the metaphorical data haystack, this system needs to change.

Data model II: this time it’s personal

In a reversal of past practice, the next data model will unify the individual’s right to privacy with the extraction of commercial value. For Stevens, this involves applying privacy as a fundamental design principle to future systems, so that data points can be fully analysed and exploited without compromising an individual’s rights. How would this work? Imagine, for example, that a company has a large database of potential customers they wish to analyse:

“You can either tinker with that database in identifiable form,” Stevens notes, “or you could anonymise the individuals and pseudonymise things like address data. Doing this would enable you to develop which segments you wish to target, and only then extract the data you need to do the targeting. It’s a very simple example, but it means that you can hack away with the data to your heart’s content. No one’s privacy gets invaded, and you only actually exploit the personal data at the end of the process.”

This kind of model would give businesses valuable data points, whilst protecting consumer privacy and making the entire data processing system more efficient. Notably, the practice of only extracting targeted segments of data also involves a subtle reshaping of attitudes. Rather than giving businesses a free pass with our data, this approach suggests that they are allowed to use it within certain parameters. Stevens agrees.

“Underneath the current way businesses operate around data is a sense of ownership,” he says. “Businesses still feel that they own this data. I think a far more accurate model for the future will be that they have a license to use it. This makes sense given that the data subjects – the people who generate it – can exercise rights over that data including rectifying, objecting to its use, or in certain situations demanding that it be erased.”

Data protection and legislation

It wasn’t possible to miss the fact that new data protection legislation came into effect this year. Amongst other things, GDPR requires companies to provide evidence for their right to process personal data, maintain that evidence over time, and operate rigorous data protection controls. While the new regulation might not have revolutionised the lives of consumers, it has boosted public awareness around data protection. Stevens has observed three distinct shifts since the adoption of GDPR which are part of a new conversation on data.

“Firstly,” he says, “GDPR has put data protection into the public psyche. People now appreciate that they have some rights. I think that public understanding of those rights is still embryonic, but the notion of data protection is in the public mindset now so that’s absolutely a good thing.”

“The second thing that it has achieved is to force companies to start living up to their responsibilities about how they manage personal data. Under the old data protection act, the penalties were so small and so rarely enforced, most companies just paid it lip service – if that. Now they are being forced to sit up and pay attention. We’ve yet to see fines under GDPR, and significant fines are likely to be a long way off, but it has achieved that change in corporate attitudes.”

“Thirdly, of course, GDPR has delivered a change in the privacy profession, which ten years ago was a small handful of people, mostly in either big internet companies or the public sector. We’re now seeing the emergence of a recognised data protection career path, with associated professional bodies, and any large company worth its salt can point at a data protection officer.”

Further legislation around data protection is already on the way. This year, the UK instituted a brand new data protection act, and the European Commission is working on updated e-privacy regulation. According to Stevens, when this European legislation eventually comes into effect it will have particular impact upon B2C companies.

“For anyone engaged in direct marketing the e-Privacy Regulation will be transformational. It will define the responsibilities for direct marketing, and is likely to have a very significant effect on the way that developers and online advertisers can use cookies, beacons and other tracking technologies.”

A word on innovation

For companies trying to navigate the data space, the promise of more legislation on the horizon might seem like an impending headache. It means more complex legal documents to understand, more rules to comply with, and the threat of increased penalties if things go wrong. However, it is important to note that data protection can also foster innovation.

Stevens points out that the common framework created by data protection legislation clarifies responsibilities for companies and rights for individuals. This will ensure that personal data is treated with the respect that the data subject deserves. What’s more, data protection laws help companies to collaborate with each other, as everyone has a legal obligation to conform with standardised data practice.

“Anyone who complains that data protection is hindering innovation is not looking at this in the right way,” he says. “They’re probably trying to take shortcuts which ultimately would undermine the effectiveness of the product that they’re working on, because sooner or later consumers would cease to trust it. So I’m convinced that whilst there will be some short term moaning, particularly from companies who have never bothered doing data protection properly in the past, in general, I think improved data protection will be good for innovation.”

If we can all get on board with appropriate data protection controls, then, companies can achieve their aims, individuals can protect their privacy, and we’ll all sail happily off into the sunset of the new data era together…

Of course, things aren’t quite that simple. The world of personal data is extremely complex, and once our privacy has been breached we can’t ever get it back. As the amount of data in the world continues to grow, one thing’s for certain: the longer we wait to sort this out, the harder it is going to be to fix.

To stay up to date with the world of data, sign up to our free weekly newsletter.