We recently launched the Big Data Survey, to research how organizations use Big Data. One of the question was whether the respondent is familiar with the General Data Protection Regulation (GDPR).
You can download the report on our website if you're curious or read on if GDPR is the only thing that matters to you.
The Regulation, adopted on 27 April 2017, will become enforceable from 25 May 2018. This is less than a year away and the changes it enforces are, especially for some organizations, far reaching.
It was a surprise to learn that up to a third1 of the Survey respondents, are not familiar with the Regulation.
If you are familiar with the regulation, you probably are aware that the GDPR specifies:
- Automated decision making is made contestable. This means that the outcomes of algorithms are questionable and fight-able;
- Automated decision making should not use personal characteristics (age, race, etc.);
- Data protection must be implemented by design and by default;
- A Data Protection Officer (DPO) must be appointed (with some caveats);
- Revoking consent for using data for a specific purpose must be as easy as giving consent, and can be revoked at any time;
- Pseudonymisation should happen as soon as possible;
- There is a right to erasure;
- Data should be portable between data controllers (a data controller is a company collecting data);
- and more.
In any large enough organization, things such as right to erasure, contestable decision making, revoking consent, are all changes that sweeps across many systems and units. Individually they represent a lot of work, and together they almost seem daunting.
Many companies are struggling with the GDPR already. From the Survey, almost half of the respondents2 said that their company is not ready for the GDPR. The other half, probably, has not realized what the GDPR really means for their company 🙂
Not surprisingly, there is a plethora of articles online (just search for how does the GDPR affects me on Google) that explain what the GDPR is, how it affects your company and, sometimes, how to fix it.
Most of them present the GDPR from the risk angle: what should you do to be compliant with the GDPR, avoiding the steep fines the GDPR entails when a company is not compliant3.
But what I'm not seeing much is the opportunity angle, much more exciting and less scary.
The opportunity angle arises from the data portability section of the GDPR (Article 20, Right to Data Portability). Paraphrased, the Article states that, basically4, the data subjects have the right to receive personal data concerning them and that they provided to the data controller.
The data cannot be dumped on the requester just like that though (as it happened in Europe vs Facebook): it must come in a commonly used and machine-readable format. Moreover, when technically feasible, the data subject shall have the right to have the personal data transmitted directly from one controller to another.
If you think about it for a second, you can immediately see that, when your algorithms get better with more data, your company becomes more attractive for your potential clients.
Let's say you are an insurance company, collecting driving behavior and adjusting the premiums using that data. The more years of data you have, the greater the potential saving for your customers. If you are the first (or the only provider) accepting data from others, you have a great opportunity in front of you.
What you need is be quick in creating converters from the format your competitor is using and the format you're using. Once that is done (easier to say, admittedly), your onboarding becomes much smoother. You can immediately tune the premium.
On the other hand, this also means that the lock-in argument doesn't hold anymore and you have to differentiate along other axes.
Or take the example of an online shop. If you can bring your data with you, it also means you can offer new services, where fashion recommendations are much more tailored to your real style5 as the algorithms have a much richer history at their disposal.
There are many more examples and I'm sure each company has its own use cases where getting data from competitors would be of value.
So the next time you'll head will spin for all the new burdens that the GDPR might be enforcing upon your company, don't forget that there are plenty of opportunities made possible as well!