Thomas Power and Matt Rutherford of 9 Spokes weigh in on the potential commercial impacts of personal data management (or lack thereof).
As the EU’s General Data Protection Regulations are set to go into effect this month, many business owners are scrambling to prepare for the ramifications of such sweeping regulation. The impacts are not one-size-fits-all; while large corporations are sitting atop mountains of data and will inevitably deploy a barrage of resources to manage data and contend with regulatory challenges, small- to medium-sized businesses will have different levels of challenges and capabilities to be able to contend with life after May 25.
We recently sat down with Thomas Power, a member of the Board of Directors for 9 Spokes, which provides a cloud-based, smart dashboard of app-fed content and data to small- and medium-sized business owners. Thomas is a widely recognized commentator on technological trends like blockchain and cryptocurrencies as well as regulatory disruptions such as GDPR. He spoke to us alongside Matt Rutherford, head of Customer Success for 9 Spokes, and the conversation touched on subject access requests and the likelihood of class action lawsuits; which industries will be most challenged by the new regulation; the monetization of personal data; and what business owners of various stripes should be doing now to prepare for GDPR.
ANSWERS: After May 25, when we’re living in a post-GDPR world, what has you the most optimistic? What has you the most worried?
THOMAS POWER: I’m not really optimistic about GDPR. I’m quite worried about it, because I think there’s going to be a lot of mistakes and I think there’s going to be a lot of no-win, no-fee lawyers who catch out individuals and small- to medium-sized companies. I think the big companies will use their lawyers to defend themselves if they make errors, but I do think there will be a lot of errors.
I think a lot of people will be at least threatened with fines, if not actually fined, because of the scale of the subject access requests. The subject access requests encourage lawyers to contact companies to say, “Can you tell me everything you’re holding on this person and remove it, please? I want it all done in 72 hours.” It’s really not possible to handle all those requests in that time and then keep a record of that on the blockchain or something that you’ve done it. Not at scale.
ANSWERS: Are there certain industries or organizations that you think are going to have the most difficult time with GDPR?
POWER: I think financial services are going to have a hard time, particularly those that manage capital dividend funds for more mature audiences because those are not well-organized online. I think the airlines will probably be all right because they’re basically just providing air mile statements on business travel. I should think the supermarkets will be alright because their loyalty programs are basically centered on what you’ve bought and giving you vouchers or tokens around frequent purchases.
In financial services, where there’s a lot of direct marketing and telephone marketing, I can see them getting into a lot of trouble. In terms of the auto industry, they’re constantly marketing online, direct mail, email, etc., to get you onto new payment plans or to try out a new car, that kind of thing. I can see the car companies getting into trouble. If you think about how long it takes to build and clean up a CRM database, it’s not an easy fix. Not if you’re, at the same time, being hammered by subject access requests.
ANSWERS: How aggressively do you think regulators will be in going after companies, once GDPR enforcement takes effect? Do you anticipate some sort of grace period, initially?
POWER: I think the UK regulator, generally, gives a period of grace for 12 months. I think in 2019, if people are not ready, they will be threatened with penalty. The reason I’m so worried about it is because I’ve been through all the different products that I consume both in business and at home. I’ve got 120 brands in my life that my family and I consume – car rentals, flights, Amazon, insurance, life insurance – and generally, those brands are pretty poor at managing data CRM systems, loyalty cards, call centers, direct mail, email, etc.
Outside of Google and Amazon, companies are generally not organized with their systems, which means they’re going to be forced into doing community building on social media because there’s not going to be any real way to get in touch because as a customer I’m just not going to double opt-in into the database emails that they send. Customers are just not going to do it. Most of those emails will go to spam. I see a lot of errors amongst the corporates because CRM systems, in my experience, are generally poor.
ANSWERS: You’re a board member of 9 Spokes, which helps small businesses with their technological needs. What should small business owners be doing to prepare for GDPR? How would you advise them on what steps to take?
POWER: You have got to make sure you’re on course before May 25 with what GDPR means to your business. At the basic level, understand what it means in terms of your email and telephone calls. If you decide you haven’t got the skills, the resources or access to IT people who can help you be ready for GDPR, then you’ve got to hire those skills or find a supplier who’s got those skills because your business is at risk. I think GDPR is putting every small business at risk because one mistake, one inquiry, one failure to deliver and your customer, your supplier or your potential customer can complain to the regulator.
MATT RUTHERFORD: The way that I would break down the advice for small- to-medium businesses is in three or four steps. These would be know your data, really understand what data you’ve got on customers; know the rules because most people aren’t taking the time to understand the rules and seeing what the non-compliance penalties are; and then it’s move fast and ask for help. Most small and medium enterprises will not be ready for the changes that are required for them to get ahead of the rules and protect themselves against what’s going to happen.
The first class action will prove this, and there will be plenty of bad actors out there who are intentionally trying to trip companies up because they know that there are penalties for non-compliance and for having data in the wrong place. I see it as an opportunity for small businesses but there’s a huge bit of work to do beforehand before you can take advantage of that opportunity.
ANSWERS: There are some exemptions for data controllers so they don’t have to grant subject access requests in certain instances. Do you think there is ample clarity around the issue? Do you think it will be abused by data controllers?
RUTHERFORD: I read through the UK Information Commissioner’s Office (ICO) rules and I consider myself to be pretty adept at understanding what data I’ve got and what data I should and shouldn’t have. I found it difficult to work out what exemptions count. I think lawyers and litigants will dance around this for quite some time. I think that anybody who thinks they can hide behind those rules needs to be really, really careful because I think there are enough catch-alls in there on both sides of the argument.
My advice is to spend time understanding the rules and the risks and, where necessary, getting counsel to guide you through the situation so that you don’t get into issues.
I’m not so concerned with small businesses having a list of customers sitting on a spreadsheet and laying them inadvertently exposed in a coffee shop, even though that’s wrong. I am more concerned about the medium-sized enterprise; it has five or six different customer databases for different reasons and it doesn’t know how to secure them, doesn’t know what they have, and doesn’t know how to respond when somebody comes to them with a question. Those are the guys that are going to get exposed first.
The very small micro-business, gig economy people are probably not going to be exposed too much on this because their risk surface is very low. If you’re a business of 150 people and you’ve got a sales force of eight across the country, and they’ve all got laptops that they run encrypted, you’re going to be very easily exposed.
I think the real threat will be to very big companies because they probably don’t know what data they’ve got and it’s in silos. I’ve worked at some very big companies and I know exactly how they’re organized internally, where there isn’t one CRM system to rule them all, even though you think there should be. There are lots of siloed databases out there. Those large enterprises probably have good governance around the disparate siloed databases they’ve got and yet, there are still a lot of humans involved that could expose their data and leave them to risky situations.
Medium-sized businesses may not have as much data, may not have as many silos but their governance will be poorer. They’ll be exposed in a different way. It’s the dimensions of exposure that are different between an enterprise and a medium-sized business.
ANSWERS: Thomas, you have previously commented about a potential collision between GDPR’s “right to be forgotten” and the vaunted immutability of blockchain. How do you see this playing out?
POWER: What you’ve got is one law – GDPR – which in effect is, “Delete me, delete me” and one new technology called blockchain, which in effect is, “Keep me, keep me.” I think the irony of all this is, if you were to go to Amazon and say, “Take me off all your databases and your call centers,” they’ve got to keep a record that they’ve deleted you. Even the sentence is an oxymoron.
The whole point of GDPR is “expunge.” A blockchain is about, as you say, an immutable record state. I don’t think many people want to be deleted unless they feel they’re being spammed by whatever organization in their email, their cell phone or on their domestic or office line.
People who decide to be deleted will do so only from the places that are annoying them. It could be an old gas supplier, an old telecom supplier, or someone else who’s annoying them. They never want to go back. I think most of that will disappear pretty quickly. I’m more worried about the class action lawyers. Matt said to me a few weeks ago that the law has to catch up with the demand of the market, and it’s not there yet.
ANSWERS: Some have suggested that a person receive compensation for the use of his or her personal data. Do you think monetizing personal data and remunerating the individual would help prevent privacy abuse by data holders?
POWER: I do think you should be paid for your data, for how much you share or how much you publish. I think you’re going to be paid for your personal data with tokens found on the blockchain, tokens that you can exchange with any organization, be it an airline company or whatever.
RUTHERFORD: If there is a broader opportunity with GDPR, it’s that people will understand that their data and details are powerful and that they can use them to their advantage, rather than just be suckered into giving everything away. In fact, there was an article in the Guardian newspaper recently in the UK, which was about the concepts of people seizing control of their data and not just allowing it to be passed into lakes of data.
People should actually keep control and retain some personal sovereignty over their data in order to, not necessarily monetize it, but at least have control as to where the attention is. From a consumer perspective, I think GDPR has a lot of upsides. It is companies that are going to need to be able to bend to the will of the market. When the market says people don’t want their data used in a certain way, companies are going to have to succumb to that, otherwise they’re going to face the full consequences of the situation, which is hundreds of millions of subject access requests for data.
POWER: What GDPR is doing is waking up consumers to the fact they’ve got to manage their data better. A role of companies like Google, Facebook and LinkedIn is to manage the data for us. Perhaps we pay them a fee to manage it for us, or they give us tokens every time people want to access our data and choose to use it – either for life insurance, health insurance, at the hospitals, the car insurance company, the airport, wherever it might be.
Think of the whole management of individual data across all the suppliers you consume. Everybody consumes from 100 different suppliers. Data management is not being effectively done by any of them. I do think it’s a wake-up call to Google, Facebook, Twitter, LinkedIn, as well as a wake-up call for consumers to get organized and take all that pain out of their lives. Every time you go to a different supplier, you’ve got to start again. You give your mother’s name, your dog’s name backwards, where you were born, all this you have to keep giving companies. It would be better to have that managed by information agents. If that’s Amazon, Google, Facebook or LinkedIn, so be it. If it’s Experian or Equifax, so be it. I don’t mind as long as it’s managed, because right now it isn’t.
RUTHERFORD: To Thomas’ point, I think there’s also an opportunity for all of the businesses that hold our data. One way of looking at GDPR is that it’s about growing deeper personal relationships. The companies that hold our consumer data, the best ones will have an opportunity now to build trust through transparency, to really be transparent about how data is used. They can build a trusting relationship with consumers. They’ll be able to gain a better understanding of customers because customers have opted in to having data shared. Customers can repay you with a better understanding of what experiences they need from your products and platforms. That’s what the market’s going to move towards delivering. I see this as an opportunity for those companies to boost their engagement, provide a better customer experience, and grow a deeper personal relationship with their customers.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.