New protections from evolving consumer data right (CDR) legislation mean data-hungry companies need to step back and consider personal data as “toxic” while they rearchitect consumer relationships on pillars of trust, according to the head of a fast-growing privacy firm that is positioning itself as a data middleman.
“As an industry we seem to have forgotten that it’s not the individual’s job to have to take actions to bring back privacy and security,” Julian Ranger, chairman and founder of personal data-management firm digi.me, told CSO Australia.
“It’s our job as the technology industry to bring back the privacy and the security.”
The CDR framework – which was passed into law this month after a drawn-out legislative process – gives consumers more rights over the personal data that private companies hold about them.
Its early implementation in the financial-services sector – on 1 July banks began voluntarily providing standardised product data to facilitate comparison-shopping in the runup to full implementation of Open Banking in February 2020 – will set the stage for the dramatic reassignment of control over personal data back to the users it relates to.
Taken along with existing Privacy Act provisions and a planned ‘right to be forgotten’, CDR will give Australian consumers many of the rights that were granted to European Union citizens with the passage of the general data protection regulation (GDPR) in May 2018.
As a business whose stock and trade is protecting personal data, Digi.me moved early on GDPR compliance but many companies have not been so proactive – despite the observed benefits in terms of consumer trust and loyalty.
For a business community that has moved quickly to embrace the tenets of big-data analytics, the legislative requirement to carefully curate and respect controls over personal data may, Ranger said, finally help temper the blind data-hoarding instinct that has set the stage for one major data breach after another.
“Companies have to hold that data and ultimately that costs them money,” he explained. “If they lose it they can get fines, and lose our trust and lose their sales. So, companies really should think about personal data as toxic: it’s expensive, and it’s something that is difficult to hold.”
By giving consumers a secure framework to not only recover their data from service providers, but to manage and selectively grant permission to it, Ranger believes services like Digi.me will level the CDR playing field.
“When people are asking the individual for data, it’s directly to that person – which is much more scalable than today, where there are masses of third-party interconnections and new standards required, and massive databases that have to be protected by going through 4 or 5 or 12 interconnects.”
This flatter, more direct architecture will foster new forms of data exchange in which consumers can knowingly and selectively exchange personal information for online services and other considerations.
Mechanisms for keeping data analysis on the user’s device allow companies to effectively outsource loyalty processing to that device, with APIs providing for exchange of data-related tokens whilst keeping the data safe and secure on the individual’s device.
“When you actually return data to the individual, that individual is the only point where you can aggregate all the data about the individual,” he explained. “As CDR goes forward, individuals will get this rich data set and companies will ask the individual for that data – and individuals will say yes [when they want to] to actually have more data sharing.”
“The beauty is that it is all private, secure, and consented. It solves all the problems [with data centralisation] and opens up more sharing. We are moving into this era where we’re solving the privacy and security issues but enabling much greater value.”