The capture and collection of personal data is an important requirement in order to provide the individual, customized and tailored experience that people are demanding. Whether it’s to provide recommendations on sites such as Amazon, Netflix or YouTube, or customized experiences within apps we use every day, access to personal information and preferences is necessary – and largely accepted as the norm.
Even initiatives such as “smart cities” will be collecting data on massive scale. For example, the planned Sidewalk Labs “smart city” initiative under review for Toronto is focused on demonstrating “how emerging technologies can make cities more affordable, easier to travel within, and more environmentally sustainable.” The vision includes collecting information from sensors, cameras and smart phone apps to improve air quality, traffic and pedestrian flow, and many other elements of city life. But it will also collect a massive amount of personal data on the people who live, work and visit in the area.
At what point does the use of personal data become a concern for individuals, and what options do they have to protect it? In the case of the Toronto smart city plan, Sidewalk Labs has indicated their sensor data will be open access. This has sparked controversy among privacy experts such as Ann Cavoukian who argue that the rights of the individual must be at the forefront of design and governance.
Ann Cavoukian’s credentials are impeccable. The former information and privacy commissioner for Ontario is credited as the person who invented the principle of ‘privacy by design’ that has become one of the major elements of the EU’s GDPR. Key elements of both include the need to implement the protection of personal data through technology design and GDPR has enforced this in legislation.
The purpose of GDPR was to realign the ownership of personal data. It takes ownership from the organizations and gives it squarely to the individual. Privacy by design has to be seen in terms of the individual’s rights, such the right to be informed about data collection, the right to data access, the right to restrict or object to data processing and, of course, the right to be forgotten.
GDPR is a clear indication of changes in our views of data ownership. Individuals will have more and more control over their personal data and how it’s used. In addition to the EU, more countries and regions are moving this way. The more digitally advanced governments – the D7 – are leading the way in developing open government and open markets that have data privacy at their core. One D7 member, Estonia, has even opened the world’s first data embassy to give the data it holds diplomatic status!
Moving from data owner to data custodian
This is where organizations can build a different relationship with their customers. The idea of a data custodian has been around for a long time and I think it’s about time it got a fresh lease on life. In the new post-GDPR world, your entire organization becomes the data custodian and supports the individual in their choices on how it’s allowed to use their personal information. It becomes a two-way dialogue between the organization asking permission and the individual allowing their data to be used for that specific purpose.
To achieve this, you need to be able to determine what personal data you have, where and how it’s stored and processed, who uses it, what it’s used for and why, and whether you have the right consent from a specific individual. Discovery consulting services can help you find and identify the information, and an enterprise-wide EIM platform is indispensable for compliant management of the data and processes associated with it.
To find out how OpenText™ can help you move from data owner to data custodian, please contact us.