Can I Own My Data?
Ownership sounds like such a simple idea…..
At first glance, the ownership of “my” data seems straight forward. I created it (or at least was involved at the beginning), it’s about me, so I own it. But personal data is a slippery concept. For one thing, a lot of the time it’s co-created – by me and my supplier, including my government. And tying down the legal specifics of data ownership is a bit of a minefield. Hence the recent and continuing debate on the Project VRM mailing list about whether an individual does, can or should ‘own’ personal data relating to them.
I take the view that individuals will ultimately have a form of ownership rights to data that relates to them. So far so good, but the word “ultimately” there is important, and frustrating. This will take some time to happen, and will relate to only some of the data in question. My view is that ‘ownership’ of personal data will come about through a combination of issues and events; and that this will all pan out over the next few years.
Firstly, the sensitivity of individuals to problems with firm’s use of data is rapidly increasing. The way most organisations gather and use data is often invisible to the individual, and almost always annoying to them. For one thing, there are regular and sizable breaches in data security. One example is the TK Maxx breach – which has now doubled in size from that originally admitted. Plus there’s a growing identity theft problem, with little sign of a solution in sight. And as we all know there are ongoing problems with spam to compound the everyday irritation of poorly targeted, invasive direct marketing. In the same ‘worrying’ space are large corporate acquisitions or investments (e.g. Flickr/ Yahoo or Facebook/ Microsoft) in which access to identity data initiated by and important to the subject are traded for a few dollars per record.
This increasing pain, without legal recourse, will drive some firms to offer commercial services to reduce that pain. These will include ‘who has data about me’ services such as Garlik, reverse-marketing services such as Pureprofile, transparency enablers such as The Trust Index (disclosure – this one is one of my hobby horse projects) and some plays from more traditional players in the personal data space such as Experian, Equifax or CallCredit. All are now beginning to explore how they can sell personal data back to the data subjects.
Another driver will be data breach notification legislation. It will be deployed in the EU and in many other countries. I expect it will be watered down, and won’t do too much in practice to change the accessibility of stolen customer data. The going rate, by the way, is £140 for 1000 credit card records – with security codes – or so I heard the last time I checked. But no matter, such legislation will at least build some additional legal rights on the side of the individual in the personal data space.
Next, opt-in-based direct marketing is going to become the norm across ALL communications channels – upping the value of ‘permissions’ data. This will be a sensible approach for large organisations to adopt commercially, largely for environmental reasons. And user-centric identity technologies (such as open ID, Infocard and i-names) will start to become more popular. They’ll impact b2c (or more accurately c2b) electronic relationships. People will want to restrict the flow of personal data into organisations, though people will see a clear trade off in offering personal data to get improved customer experience.
Meanwhile, the next generation of personal information management services will emerge. These alternative ‘single views of the customer’ will be available for organisations to tap into — with permission, and usually at a cost. This will be the trigger point for real change. For the first time, data sourced FROM an individual will be more valuable commercially than data gathered ON an individual. In practice, this is about “pull”: the commercial value of these new data sources comes from the higher response rates that come from the much improved relevancy of communications. ‘Pull’ beats ‘push’ every time at the micro, one-to-one level.
When this new value is created within the PIMS, commercial law swings into gear. Individuals and suppliers will build robust contracts around these new services and at last, we have something akin to ownership of our personal data.
In short, the point at which I will ‘own’ my personal data is the point at which I can actively manage it. If I have the choice over whether to sell it to someone, and can cover that sale with a standard commercial contract, then I clearly have title. But – and this is crucial – this doesn’t mean that I ‘own’ all the personal data that relates to me. Lots of it will still be lying around in various supplier operational systems that I won’t have access to (and probably don’t want to – much of it is not worth me bothering about).
Technically we can just about do this now. As ever, I think we’ll have to wait a bit longer for all this to build a mass market for personal data ownership and management. That said, I think we’ll start to see little signs of life in this space over the next 12 months. Watch, as they say, this space.
Talking of which, do any of you database marketers out there want to buy my ‘intention to buy’ data for the next 6 months? I’ll break it down by product / service category, add likely purchase dates, indicative amounts and existing preferences of various types… and send it in a format that feeds straight in to your CRM system. £10 per category for a one off use, and I can GUARANTEE that my data will be more predictive of what I’m going to buy than your own analysis or what you can buy in from other external data providers.