Bulletin 27 April 2018. Flipping compliance… on its head (GDPR redux)
I seem to keep getting drawn into GDPR-related compliance conversations. I do so uncomfortably, for two reasons: first I am not a lawyer, and second, given the general level of misunderstanding about the new regulation (under a month to go, folks), I am very wary about offering anything that might be perceived as advice. Something I am absolutely clear about, however, is that it is all the wrong way around.
Let me say first that I understand why. We live within a social structure based on the rule of law, rather than any other principle. The law may be an ass but it has stood us in good stead over the centuries: from its roots setting out rules of civil conduct, or presenting the latest impositions of those in power, it’s generally been accepted (sometimes begrudgingly), as the rulebook to be followed.
This was all very well when resources were plentiful, but as we have come up against the limitations of our own population growth and voracious appetites, efficiency has become the name of the game. There was a point, not that many decades ago, where the role of law flipped from something to be followed unthinkingly, to a set of criteria to work within.
So, it’s become less important, for example, to do the right thing, and more important to demonstrate that the rules have been followed: the cry if “I didn’t do anything wrong” ((c) Richard Nixon) may be defensible, even if the behaviour is deemed unethical. It’s well-known that banks have made it their business to look for loopholes in regulation, and why? Because that’s where the money is.
For law makers, the result is to create more laws. Banking regulation is getting more and more complex: this creates more complexity, and therefore the potential for more loop holes. And so it goes on. And on. And on, to GDPR, which has done a pretty good job of closing a number of stable doors… though it remains to be see what it has not dealt with in terms of our privacy.
Apologies, I’m rambling as usual. Back on the topic of GDPR conversations, organisations of all shapes and sizes have several choices. The first (and most obvious) is to comply with the regulation, appoint data controllers, inform customers and request appropriate consent, and all that. Frankly, doing so is blooming hard given the level of information, and the scale of the challenge.
The second, however, is to address it from same the perspective as the regulation. GDPR is coming into force in direct response to repeated abuse of personal privacy, in the name of (that horrible phrase) ‘data monetisation’. Its base requirements are pretty straightforward: hold only the data you need to do the job, and have good reason to do so.
For organisations looking to do the same thing that they did last week, this makes things pretty simple: define what you do, say what data you need, and if you need to ask customers to do so, then ask. This is no more nor less than an information strategy — the difference is that it is being publicised to customers. Bluntly, it you don’t have one, you should, for a raft of reasons not just compliance.
Of course it may be the case that an organisation wants to hold onto more information than it needs, and/or do things with it that the customer doesn’t like. The answer, simply, is, well, don’t, or you will get into trouble. But the majority of organisations I have spoken to are not in this category — they just want to ensure they don’t get caught short. Creating a clear and defensible statement of intent, then broadcasting it out to those affected, is a solid starting point.
The third choice, open to all but probably only accessible to the biggest organisations, is to play the “we aren’t doing anything wrong” game, that is, see loopholes in the regulation as an opportunity to push things as far as possible (or at least, make hay until the loopholes are closed). This will inevitably happen with GDPR, indeed, it probably already is if Facebook’s ’sidestep’ is anything to go by.
One thing’s for sure — this isn’t over — May 25 is a starting point. Let’s see where it goes… and meanwhile, here are some articles for the week.
GDPR – are we witnessing the death of one-way monetisation?
GDPR has certainly put the cat among the pigeons, for better or worse. This article is a stake in the ground — building on the above, it is becoming less and less viable to take customer data and then try to make money out of it for its own sake. Apparently. Also building on the above, time will tell whether organisations simply find other ways to take data-related value out of customers and pass it to shareholders.
Five questions for… the AURA fitness band
Apropos of data, we continue to look for new ways of creating it. I don’t think there’s any contradiction, in that all technologies can be used for both good and less good purposes. In this case, the potential of low-cost bio-impedance data (to indicate BMI, heart rate and hydration) is pretty compelling. And/but it is yet another illustration of how the ultimate owner of any such data should be the individual to whom it relates.
5 questions for… Densify: a sign of the times
On a different tack, the number of meta-infrastructure solutions — that is, technologies that help organisations decide what to do with their resources, wherever they are — appears to be proliferating. Densify helps organisations migrate workloads to the cloud, or optimise them once they are there, by understanding which of the (quite complex) options are appropriate. And it will continue to have a role as long as cloud providers are not offering optimisation as a service.
Semi-curricular: How not to be an industry analyst
Following on from the highly successful “How not to be a biographer” seminar, I’m plotting with the IIAR to present a few anecdotes about lessons I’ve learned across the last 19 years (including taking a break). More information soon. Oh and it will likely be followed by “How not to run a marathon.”
Thanks very much for reading and until next time, Jon
