The last decade has shown a rapid growth of concern among citizens about data privacy. Policy makers have made every effort to react upon that worry. As a consequence, regulations on data processing are being tightened. How do these changes have impact on data-driven entities?
Customer perception of privacy
Historically the word privacy has a strong physical connotation like in the expression ‘the privacy of her own home’. It is broadly considered to be a normal requisite for daily life, if not a legal right. However, in the data era this has drastically changed. Nowadays, privacy is not only about ‘physical’ privacy, it also relates to ‘virtual’ privacy. It is about the protection of personal data and the right to preserve anonymity. To that extent, it still relates to a person’s comfort zone, although this is becoming increasingly difficult to define. A comparison may illustrate this. Recent academic research on perception of sustainability found that people tend to behave more on evading material loss than on an abstract profit. In an interesting experiment respondents preferred a lower price of tomatoes, yoghurt and coffee above an EKO (Dutch hallmark for organic products) hallmark. But that changed when the choice was between a cheaper product with a red crossed EKO label and the standard product, regardless if it came with a positive sustainability hallmark or none. Then the preference shifted towards the more expensive product. Unfortunately there’s no such thing as an authorised red cross through privacy. Respected brands might substitute it by integrating protection of personal data into their set of values. But at the end of the day consumers will expect privacy to be a normal product feature, just as Tesla are sold without a petrol tank. Differently stated, making data privacy an integral part of any proposition and deliver transparency on the issue is the only way forward: privacy by design!
The European General Data Protection Regulation (GDPR) that will come into force seamlessly joins that trend. It strengthens the position of EU citizens with regard to their data, making tough demands on organisations that collect data and raising financial sanctions on infringing the regulation. Among the ‘civil’ rights to be established by the GDPR are: easier access to people’s personal data, transparency around how these data are processed and the possibility to explicitly object to it, data portability (transfer of data to third parties) and the right to be forgotten. For many institutions the processing measures in GDPR will set new obligations like the registration of data leaks, the appointment of a dedicated Data Protection Officer and the introduction of data protection impact assessments. These boundary conditions however, pale in comparison to how data management systems are going to be affected by the rights described before.
The explosion of generated data in the last decade has also given way to aspire to a ‘360 degree customer view’. More data allows for better insights, may facilitate new points of view or just harness already available predictive models. State-of-the-art data processing capabilities are an important requirement to successfully realise the ambition. Not only to arrange for the integration of data from different resources. Above all, these capabilities are necessary to reach a more sophisticated level of data governance – privacy by design. To become compliant with the GDPR and gain customer acceptance a new approach to data management is a conditio sine qua non. In the near future, data processors will not only be accountable on what they do, but will also actively have to support full transparency on what data they process and for what purposes it is used – e.g. profiling – and adequate data security. The only foundation for this approach is an explicit consent given by the person whose data are at stake and stringent administration of this by distinguishing between different levels of consent e.g. give anonymous or personal data (customer vs. operator in control), let data evaporate instantly (the right to be forgotten) or transfer them externally new functionalities created by the GDPR are within reach.
Having the consent administration in order, just as entities register an address or the birthdate on their customer records, is the basic condition to compliant data governance. This may drive data stream management technology to provide building blocks for embedding core privacy functionality in data governance such as:
– in-memory data collection and selective storage
– encryption of data on processing
– access to all data streams exclusively to the Data Protection Officer
– in house deployment of data streams (vs. cloud)
– extensive change logging
Finally, this approach will also facilitate external audits to prove the conse