Alan Mitchell is Strategy Director at CtrlShift, a consultancy that helps organisations to grow and innovate in the digital economy by building trusted data relationships with customers and developing future-proofed digital products and services which empower customers through greater control of their data.

Opinion Piece GDPR: Evolutionary or revolutionary? Alan Mitchell Received (in revised form): 29th June 2016

Abstract The data portability provisions of the new European Data Protection Regulations have the potential to turn data relationships between customers and companies upside down as customers learn to move their data to those providers adding most value to it from the customer’s point of view. Companies need to look at customer data through a new lens: the value it can generate for customers as well as the company. Journal of Direct, Data and Digital Marketing Practice (2016). doi:10.1057/s41263-016-0006-9 Keywords: data portability, customer data relationship, GDPR, personal data stores

An idea whose time has come?

Alan Mitchell Ctrl-Shift, London, UK E-mail: [email protected]

If you had to pick one, single element of Europe’s new General Data Protection Regulations (GDPR) with the most power to transform the personal data landscape, what would it be? Many candidates have already been proposed: breach notifications, the broader definition of personal data, the overall costs of compliance and so on. But there is one GDPR concept that could transform today’s personal data paradigm, helping to create a very different world where individuals have more data (and insights) about themselves than the organisations they deal with; where competition to add value to individuals’ data defines brand success and where the very architecture that underpins today’s personal data economy flips to a different, person-centric model. This concept, enshrined in Article 18, is the right to data portability: ‘‘the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format and the right to transmit those data to another controller without hindrance …’’ For decades, organisations have built data, marketing and other strategies on the assumption that the data they hold are effectively theirs. But soon their customers might have a copy of these data. And so might their competitors. It is time to think again. The notion of data portability is hardly new. Services like Google have long enabled users to download data collected about them. The notion of using data portability to transform the way markets work is at least 5 years old – introduced by the coalition Government in November 2011 as ‘midata’1. The midata initiative wanted individuals to have ‘‘access to their personal data in a portable, electronic format’’, the idea being that they

 2016 Macmillan Publishers Ltd & The Institute of Direct and Digital Marketing 1746-0166 www.palgrave.com/journals

Journal of Direct, Data and Digital Marketing Practice

Mitchell

Far reaching implications

would ‘‘then be able to use this data to gain insights into their own behaviour, make more informed choices about products and services, and manage their lives more efficiently’’2. The programme itself had mixed success. Many companies’ instinctive reaction was ‘over my dead body!’, the ‘commonly used and machinereadable formats’ hardly existed, and most consumers had no idea what they could do with the data in the first place. Nevertheless, the UK’s big six energy companies are now making energy consumption data available to their customers, and in March 2015 six banks (Barclays, HSBC, Lloyds, RBS (including NatWest), Santander) made consumers’ financial transactions available to customers via a CSV file3. In the US, these developments have been mirrored by the Blue Button initiative (starting with Veterans to enable them to access and use their own health data) and Green Button (release of energy consumption data). What is really important however is not the initial impact but the fact that the genie is out of the bottle. The idea of data portability has begun to take root. Last year, DJ Patil, the US Government’s first Chief Data Scientist, announced that the Blue and Green Button initiatives would be one of his four priorities to ‘‘unleash the power of data to improve all of America’’. The concept meanwhile spread to Europe’s Payment Services Directive 2 (PSD2) which requires all banks to make balance and transaction data available to customers via Open APIs4. The UK is racing to jump the gun with the Open Banking Working Group’s February 2016 framework to support the use of open APIs in the banking sector5. And, of course, the midata formulation found its way into personal data regulations covering the whole of Europe, with almost certain emulation in many other parts of the world. Why does this matter? First, a policy Rubicon has been crossed. Policy makers and regulators are adopting a new mindset that says data hoarding by large companies can be a constraint on competition and innovation. New services need to be able to access new combinations of customer data if they are to drive innovation and competition, and data portability is a way to make this happen. In financial services, this is already an explicit objective: to help fintech disruptors challenge sleepy change-resistant incumbents. This is not just a regulatory shift, it is a vision and understanding shift too. Until very recently, the unquestioned working assumption of all main stakeholders, companies, politicians and regulators alike has been that customer data collected by the organisation was, for all intents and purposes, the organisation’s – not in any formal or legal sense but in a de facto practical, operational sense. There was simply no working alternative. Now a new vision is challenging this assumption and pointing in the opposite direction – to a new data landscape where customers can easily

 2016 Macmillan Publishers Ltd & The Institute of Direct and Digital Marketing 1746-0166

Journal of Direct, Data and Digital Marketing Practice

GDPR: Evolutionary or revolutionary?

Secrets of data success

and routinely access and use their own data for their own purposes, with pro-active measures taken to support and enable this. Second, the secrets of data success are changing. There are many elements to this. One is data portability enables improved service provision. Blue Button is popular amongst US veterans in America because it has made it much easier for them to get better medical advice from non-armed forces medical practitioners. The full potential of the Internet of Things simply cannot be realised if data hoarding mindsets and practices remain dominant. Another, potentially more profound effect of data portability: it transforms the meaning and implications of the term ‘single customer view’. To date, most visions and programmes around a single customer view have been narrowly organisation-centric. ‘A single customer view’ means a single view of that particular organisation’s dealings with its customers across a range of different channels, touchpoints, product lines, etc. That is great so far as it goes. But it pales in the face of the genuine single customer view that now looms: customers’ ability to aggregate multiple datasets from multiple sources to create their own single view of their lives and transactions. With Clubcard, Tesco has rich, accurate data about what its customers buy from Tesco. But it has no information about what they are buying from Sainsbury’s or any other competitor. With data portability the customer can combine data from both Tesco and Sainsbury’s (and all other suppliers) to construct a single view of all his or her transactions and behaviours relating to all suppliers. The applies to every industry and category. In financial services for example, most of us deal with a dozen a more different providers, each of which sees only a slice of our complete financial picture. With PSD2, customers will be able to aggregate data from every one of their suppliers to create a picture that none can see individually. The long-term impact? Using data aggregated from multiple providers, individuals will be able to build far richer, more rounded views of their lives than any single supplier can, including data behemoths like Google and Facebook. For the last two decades, we have been taught to believe that customer data are potentially a company’s greatest asset. Its crown jewels. If you still think this, think again. The crown jewels are no longer exclusively yours. They will be shared, not only with your customers but with your competitors. This has the potential to transform the power balance and relationships between individuals and organisations. The impacts do not stop there. In a world where customers can port their data from one supplier to a competitor, a new dimension of competition opens up around access to customer data. The really important data are no longer the data you collect from your customers but the data other organisations may collect. Losers will see their data migrating into competitors’ hands, and winners will attract their competitors’ data to them. The battle for this privilege of enhanced data access will revolve around how good companies are, not only at using data for their own

 2016 Macmillan Publishers Ltd & The Institute of Direct and Digital Marketing 1746-0166

Journal of Direct, Data and Digital Marketing Practice

Mitchell

Charting a way forward

purposes, but using data to help customers achieve their purposes. Firms that help individuals get the most value from their data (in ways they can trust) will win customers’ favour and, along the way, open up new revenue streams. Firms that fail to innovate and add value in this way will find customers porting their data away, into competitors’ hands. In financial services for example, competition is already growing up around the services firms can offer via permissioned access to customers’ aggregated data to help them better understand spending patterns and trends, manage their money better, make more informed financial plans and decisions, manage financial and other risks better. This is a sign of things to come, just as midata predicted. There are equally profound implications for our economy’s data architecture and infrastructure. The first 50 years of customer data saw organisations building massive centralised, siloed databases (which subsequently became honeypots for hackers). But if customers obtain electronic copies of the data they need to put it somewhere safe – in their own private, encrypted personal data store/locker/vault/cloud/bank. (There are already hundreds of companies competing in this space, using many different terms to describe the same underlying concept.) The net effect is a likely shift in infrastructure from today, which is dominated by multiple centralised, siloed databases to tomorrow, where legacy systems are supplemented and complemented by a new decentralised, distributed infrastructure of personal data stores (and where, by the way, data distribution means the honeypot hacking incentive evaporates). How, then, should companies respond? 1. First and most important is to recognise that data portability is happening. Ignorance is bliss, but it is not good for competitive survival. 2. The second critical judgement relates to timescales. Do we really have to worry about this right now? Perhaps not. EU data portability provisions do not come into effect for 2 years, and then it will take some time for new services to develop, for customers to be made aware of them and to get into the habit of seeking access to data. To that degree, a wait and see approach might be just fine. On the other hand, it will take years to implement the sorts of adjustments companies need to make to flourish in a world of added value data sharing with customers. Meanwhile, many companies, seeing the writing on the wall, are already seeing this is an opportunity to seize competitive advantage now by creating new data sharing-driven services with their customers. So ‘wait and see’ risks turning into ‘left behind’. 3. Third, companies need to undertake a new type of data audit. They are used to asking the question ‘what is the potential utility and value of customer data to our organisation?’ But as portability kicks in, they need to revisit their data inventories to ask a very different question ‘what is the potential utility and value of this data to our customers – and how can we use it to add customer value?’

 2016 Macmillan Publishers Ltd & The Institute of Direct and Digital Marketing 1746-0166

Journal of Direct, Data and Digital Marketing Practice

GDPR: Evolutionary or revolutionary? 4. Fourth, rethink data strategies to fit a world where trusted data sharing trumps data hoarding. Tomorrow’s data strategies will be much more nuanced than today’s, including questions such as follows: a. what data do we really need to collect and hold in our own right? Do we really want to gather and hold lots of sensitive data such as credit card details in our own databases, thereby multiplying risks and liabilities? Why not let the customer’s personal data store hold such data, allowing the company to access it when and if needed? b. what data can or should our customers hold – assuming we can access it if we need to? c. what data can we access from third parties with our customers’ permission?’ 5. Rethink the customer data interface. Companies need to ask: what proportion of the data management tasks customers undertake should take place within our systems versus via new ‘portal’ services? Take just one example. Customers’ ability to aggregate their own data is creating a need for new types of consumer data management service, such as consent and permissions dashboards that aggregate a view of all the individual’s commercial relationships, enabling them to manage multiple different sets of consents and permissions from one single place, rather than having to log into many different and separate accounts, one by one. Many initiatives of this sort are already under way6. 6. Finally, there is the challenge of creating customer value from data. This requires a new dimension of customer insight and, often, new capabilities. Marketers are passed masters at understanding customer needs and wants when it comes to existing products and services, but very few understand the information intensive tasks that customers undertake in their daily lives, the pains they experience – and therefore the opportunity to create new information services. But this is fast becoming a new dimension of innovation and value creation.7. To sum up: hidden within GDPR is a new ‘right’ to data portability that will not only tinker with how today’s data practices work; it could usher in an entirely new data ecosystem. Don’t let it creep up on you unaware! References 1. https://www.gov.uk/government/news/the-midata-vision-of-consumer-empowerment. 2. Alan Mitchell and his firm, Ctrl-Shift, were business advisors to the midata programme. 3. http://www.moneywise.co.uk/news/2015-03-19/banks-launch-midata-current-accountcomparison-tool. 4. PSD2 is due to be implemented by all member states by 13 January 2018. 5. http://theodi.org/open-banking-standard. 6. ‘User Managed Access’ is one example. https://kantarainitiative.org/confluence/display/uma/ Home. 7. Personal Information Management Services (PIMS) – an analysis of an emerging market, Ctrl-Shift, 2014.

 2016 Macmillan Publishers Ltd & The Institute of Direct and Digital Marketing 1746-0166

Journal of Direct, Data and Digital Marketing Practice