In August 2017, India’s highest judicial office, The Supreme Court, upheld the right to privacy as a fundamental right of the country’s citizens. In an era, where data is easily disseminated through a wide array of physical and digital channels, we often end up losing control of the very resource that we created and one that defines us in myriad ways. Yet these are early days as the specifics of India’s right to privacy (such as responsibilities of various entities involved in originating and handling data, what constitute violations and the resulting implications) remain to be fleshed out. Nonetheless, the ruling, which in many ways has been heavily influenced by EU’s GDPR, will dictate how organizations manage data with greater responsibility.
But what has triggered this wave of regulations and directives around protecting data privacy and preventing data misuse? Is it a fad destined to reach a high before it fades away? Or is it a movement that will not just challenge but also change the status quo?
In all honesty, none of us can be absolutely certain at this point about what the future for data privacy would look like. Through this post, my attempt is to analyse what could be GDPR’s potential implications for us, as citizens, as consumers, or as businesses.
For every effect, there is a root cause
Laws such as the right to privacy and GDPR are imperatives in these times when much of our lives are lived online and where even our ecosystems are digitally connected. The unprecedented rate at which digital data is being generated is now being threatened by rising data breaches and digital identity impersonations that show no signs of abating.
In late 2016, data breaches rose by 40%. That’s just the statistics on the breaches that were officially reported. 2017 was another year of data breaches. From large corporates to small businesses, the size of the companies affected didn’t matter. No industry was spared - from financial services, healthcare, gaming and hospitality to government agencies. By some estimates, the global cost of data breaches will be around $2.1 trillion by 2019.
Gaining access to our data through unlawful or nefarious means, however, is just one part of the story. We, as customers, also willingly give away our data to organizations we do business with – when opening a bank account, ordering online, starting an email account or creating a social media profile.
Then there is the data that companies share with one another without the knowledge of customers... We have all experienced getting calls for offers such as home loans and credit cards from companies we’ve never done any transactions with. “Where do such companies get our data from?”, is a question that has bothered many of us at some point. Recently, Uber agreed to implement a privacy programme after it was accused in 2014 of failing to secure sensitive customer data and resulting in data misuse by its employees who had unrestricted access to customers’ personal information.
But what we see is only the tip of an iceberg. There are companies that track not just our online but also our offline behaviours such as the food we consume, the medicines we take, and even the pets we have. Acxiom, TargusInfo, BlueKai are companies not known to many. But these are big names in the consumer database marketing space. A peek into the magnitude of their operations reveals that Acxiom has information on more than 96% US households and half a billion individuals worldwide, processing more than 1500 data points per individual. TargusInfo claims to deliver 62 billion real attributes of customers. And these companies don’t even service customers directly! Another company ‘The Rubicon Project’ claims to have a database on more than half a billion internet users around the globe. While Acxiom, TargusInfo and Bluekai have built their businesses monetizing customer data, most customers are not even aware of these companies let alone how they profit from customers’ data.
Then we have companies such as Google, Facebook and Amazon where users share data about themselves, their interests and activities to largely access free services.
Into such a climate of absolute lack of data control and privacy enters GDPR making a strong case for protecting personal data and putting the onus on companies to build the safeguards.
One of the key changes that GDPR introduces is redefining personal data. Keeping up with the changing times, GDPR has outlined that personal data must include not just name, age, address, phone number or income bracket but also IP address, location, email addresses, cookies, websites visited and more. Sensitive personal data which earlier comprised of racial, religious belief, political orientation has now been extended to include genetic and biometric data.
GDPR – Start of Trust Economy
While companies have monetized customer data for a long time now, GDPR beams the spotlight on the most fundamental element underpinning relationships – Trust. When customers give their data to companies, the implicit premise is that it would be protected from falling into the wrong hands. As GDPR increases accountability of organizations that manage data, customers will have a greater say in not just how their data is handled but also who gets to handle it. Power, which so far clearly tilted towards organizations rather than their customers, would achieve greater balance. For consumers, in particular, such an equilibrium will lead to increased transparency and thereby, trust in the organizations they choose to do business with.
Going by the recent surge in interest surrounding technologies such as blockchain, we can see a growing demand for transparency and greater parity in the way value is shared with those who create the data instead of only benefiting the companies that control the technology platforms on which information is shared.
Another growing practice by companies is the pseudonymization or anonymization of data. Companies remove personally identifiable information from customers’ data before running analytics on large anonymized datasets. For instance, banks, fintechs and telcos ascertain creditworthiness of individuals using analytics. While GDPR encourages pseudonymization, it also allows customers to invoke its ‘Right not to be profiled’ to challenge companies’ decisions that are based on such automated processing.
As a result, customers will no longer remain relegated to the side, content to let their service providers make decisions for them. Instead, they would decide which companies to partner with, with trust being a crucial deciding factor besides the quality of products and services.
Without a doubt, these are positive changes designed to empower customers. But what about businesses?
GDPR stipulates non-compliance fines of up to EUR 20 million, applicable if businesses process or transfer data without customers’ consent or fail to notify about data breaches. For small businesses, such hefty penalties could well be the end of the road and for larger organisations, a sizeable portion of their revenues. Additionally, building data security measures require considerable effort and would rack up significant costs which explains why 61% businesses haven’t yet started to work towards becoming GDPR compliant.
But is it all bleak for companies? Despite the severe implications of GDPR, it might compel companies to look beyond commercial ambitions to build genuinely trusting relationships with their customers. It may well be the start of a new era of customer intimacy, one that would be based on ‘responsible innovation’.
So, what will responsible innovation look like? It might assume many forms, such as the emergence of a new breed of companies with unique business models.
Take Trunomi for example. A consent-based data sharing platform, Trunomi acts as a trust broker between customers and companies, making it easier for customers to provide their consent to businesses to use their personal data.
For innovative companies, GDPR might well be the catalyst that would humanize companies’ interactions with their customers by treating their data and consent seriously.
An example of such a company is Secco Aura, which enables people to connect and trade based on the strength of their character. When people demonstrate values such as kindness, courtesy, helpfulness, they get rewarded with redeemable points by those who have benefited from their actions.
PSD2 and GDPR
PSD2 requires banks to allow third parties access to banks’ customer data. Will PSD2 and GDPR support each other or would the two give rise to conflicts? In fact, the timing of GDPR couldn’t have been better. A positive outcome would be that both banks and the third parties would share the responsibility of securing customer data and would proactively build customer data security measures right from their products and services development stages.
End of free services?
If you’re not paying for something, you’re not the customer; you’re the product being sold. —Andrew Lewis
Many products that have become inseparable parts of our daily lives, such as email services, search engines, file hosting services, social networking and blogs, are free. But companies providing these services use our data to feed their smart machines, which in return, churn out personalized offers through tailored advertising. Remember companies such as Axciom and BlueKai mentioned earlier. These companies gather customer intent, expressed in seemingly innocuous ways such as when we search online for products or services. The data is then auctioned off to businesses, that provide those products or services. These businesses, in turn, use targeted advertising by deploying seemingly ubiquitous advertisements that follow us wherever we’d go online.
With GDPR, companies that provide free services will have to explain to customers how their data will be used and seek explicit consent. What were ostensibly free services so far could end up as paid services instead. But the costs that customers would pay to access the services would be far less than the costs that companies would incur by way of lost revenue.
Irrespective of how GDPR will impact, corporates and customers, one thing is certain. GDPR has lent credence to increasingly growing concerns about data privacy around the world. Whether through stringent data security measures or through high penalty fines in case of a data breach, GDPR would bring about a much-needed focus on protecting one of the most valuable and also the most easily exploited asset – customer data.
Juniper Research, 2015. The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation 2015-2020.
The Bubble Filter: What the Internet is Hiding from You by Eli Pariser
 Juniper Research, 2015. The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation 2015-2020.
Deepthi Rajan is leading the Market Research group at Royal Bank of Scotland, where she focuses on research and insights around strategies on Supply Chain Services. Her primary focus areas are digital sourcing strategies and enterprise-wide transformation.
Prior to joining RBS, Deepthi Rajan was IT Innovation Strategist at one of the largest private banks in India, evaluating myriad technologies and their applications across multiple industries. Her areas of interest are Analytics, IoT, Blockchain and Digital Strategy.
Credits: Photo by Cory Bouthillette on Unsplash