Back in 2014, WIRED magazine wrote that “data is the new oil of the digital economy.” And for the past three years, that has become a dominant refrain within the business world. In 2017, for example, The Economist wrote that “the world’s most valuable resource is no longer oil, but data.” No wonder, then, that corporations across Europe are starting to have very real concerns about the forthcoming European General Data Protection Regulation (GDPR), which will go into effect in May 2018.
In an attempt to address those concerns, a recent GDPR Innovation Briefing in Brussels brought together some leading thinkers on data privacy and data protection. At the event, Wojciech Wiewiorowski, Assistant Supervisor at the European Data Protection Supervisor (EDPS); Martin Abrams, Executive Director & Chief Strategist for the Information Accountability Foundation (IAF); Hilary Wandall, General Counsel & Chief Data Governance Officer at TrustArc; and Gary LaFever, CEO at Anonos, weighed in on the key concerns and misconceptions about the GDPR.
Is GDPR a data embargo on the digital economy?
If you accept the notion that data, indeed, is the new oil of the digital economy, then the new GDPR is the equivalent of an oil embargo. In a worst-case scenario, suggest pundits, it will choke off economic growth and cause the collapse of entire industries, just as an oil embargo of any nation would choke off future economic growth. In fields such as e-commerce, artificial intelligence, and healthcare, this data embargo would be potentially catastrophic.
There’s just one problem with that rather forced analogy – data, unlike oil, is not a finite resource. Prior to the 1970s, data was a finite, static resource, and something that could be housed on a mainframe computer in a vast computing center. Consumers would give their consent for corporations to use that data, and it would be incumbent upon corporations to protect that data on massive mainframes.
But, as speakers at the GDPR Innovation Panel noted again and again, something has fundamentally changed in the way that we think about data, use data, observe data and collect data. Nobody would dispute the fact that the sheer amount of data is growing every day on an exponential basis. Think about how much data your smartphone collects on an everyday basis. Then think about the sheer size of the Internet of Things, which is collecting more data than most companies know what to do with. It’s easy to see that data – unlike oil – is not a finite resource.
And that’s why the GDPR is not going to slow down the digital economy. The genie, as it were, is out of the bottle. Consumers don’t want to stop using their smartphones, their apps and their technological gadgets. They don’t want to stop ordering items online via e-commerce sites. And they certainly don’t want their favorite social networks to shut down due to the GDPR.
Think outside the checkbox
This suggests that the GDPR will shift the emphasis from a policy-based approach to data governance to a technology-based approach to data governance. In terms of innovation and economic growth, this is potentially a very exciting development because it will force companies to shift away from a purely consent-based form of compliance. For most corporations, data privacy today consists only of a single box that consumers must check before using their services – and that has made them think of data as a compliance issue rather than an innovation issue.
No wonder, as was pointed out at the GDPR Innovation Panel event, 61% of corporations within the EU have not moved beyond just a rudimentary analysis of how to respond to the GDPR. They are viewing this as purely a compliance issue, and thus, as a net drag on their earnings.
In fact, suggested some experts at this recent panel discussion on GDPR and innovation, some corporations might actually view the cost of non-compliance (i.e. getting hit with a fine) as being less burdensome than the cost of compliance (i.e. staffing up with some very expensively paid lawyers).
As Hilary Wandall pointed out at the GDPR briefing, “A number of organizations… are still just too early in the process of analyzing their data and how their data are actually being managed within their organizations. They are still at that phase of the evaluation as opposed to really thinking about maximizing the kinds of data analyses that they will need to do going forward with the GDPR.”