September 12, 2018

Data Responsibility

Maintaining Respect in the Process of Delivering Benefit
A plentiful by-product of our digital age, data is described fittingly as the “new oil.”1 While its creation is perpetual, preservation of this valuable resource is crucial.

But where to start? There are so many topics swirling around the data-as-a-resource discussion – from data ownership, collection, privacy, protection and transparency to the commoditization of data and its strategic advantages.

Over the next few months, we’ll explore some of these conversations against the backdrop of data (resource) preservation. We begin here with data responsibility – a topic that’s been placed front and center on the world stage by the European Union General Data Protection Regulation (GDPR), and one that concerns the balance of respecting the data subject in the process of delivering benefit.

Rules and Regulations – What’s in Place?
You’ve heard the saying, “Possession is nine-tenths of the law.” Evidently that applies to data, since many organizations consider that the personal consumer data they collect is, in fact, theirs. After all, they have invested in the acquisition and storage of that data.

Data responsibility, though, extends beyond basic concepts of possession. It implies stewardship and a certain ethical responsibility on the part of the organization. Enforcing that responsibility are a number of formal government and industry policies and regulations which compel the shift of corporations from data owners to data guardians.

For instance, with mandatory data protection as its central tenet, the formal and recently enforced GDPR puts a spotlight on proper data handling as a responsibility of corporations – along with very specific technology and policy requirements.
In the U.S., though, aside from those organizations obligated to comply with GDPR, regulations for companies with regard to privacy and secure handling of data are more fragmented and inconsistent.

There are, of course, the obvious industry-based regulations. For example Healthcare’s HIPAA and financial services’ PCI-DSS require compliance with defined information security, privacy, and accessibility standards for organizations that handle personally identifiable information (PII), protected health information (PHI) and credit cards. There also are state-level initiatives such as the proposed California Consumer Privacy Act.2

But recent publicized U.S. data breaches and information-sharing raised questions and highlighted the gaps in our laws with regard to data ownership, and the discussion is now elevated to the federal level. The resulting proposed GDPR-esque government regulations introduced earlier this year “would give consumers the right to opt out of data tracking and collection, give them more control of over their data, require terms of service documents to be written in plain language and allow consumers to see what information of theirs has been collected and shared.”3

To reference a famous Spiderman quote (or Voltaire, depending on your preferred source), “With great power comes great responsibility.” It’s a statement that couldn’t be more appropriate with regard to how organizations choose to wield their data power. With GDPR now in effect and broader U.S. governance a possibility, we have yet to see how data responsibility can be achieved. Is it a top-down legal push? A bottom-up groundswell from consumers? Or some combination of both?

Social Impacts
A subset of the data responsibility conversation, social responsibility is coming to the fore as governments and industries recognize the potential of the data in their charge – not just for their own benefit, but for the benefit of the greater good.

There are many stories of companies who have embraced their social responsibility and shared their proprietary data – and in some cases, saved lives. After the 2015 Nepal earthquake devastated the area, for instance, the country’s largest mobile operator, Ncell, shared its mobile data “in an aggregated, de-identified [form]” with the Swedish non-profit, Flowminder, who in turn used the data to create real-time maps of population movements in the area. The maps “allowed the government and humanitarian organizations to better target aid and relief to affected communities, thus maximizing the impact of their efforts.”4

According to IBM’s CEO Ginny Rometty, only 20 percent of the world’s collected data is searchable – 80 percent resides in proprietary databases in organizations around the globe.5 Imagine the potential if that data resource could tapped, shared and applied to improve public service design and delivery (e.g., transportation), track poverty, to predict crises such as droughts for early intervention and more.6

Achieving a Balance
In the end, whether the benefits of data are being applied to a commercial purpose or humanitarian effort, organizations have a responsibility to respect the data subject in the process of delivering benefit. One shouldn’t outweigh the other. For the moment, though, how that delicate balance of data responsibility is best realized – through legal measures, consumer uprising, or a combination of both – is still playing out.

About the Author
Christina Whiting is the managing director of privacy, enterprise risk and compliance at Tevora.
David Grazer is the privacy practice lead at Tevora.