In almost every conversation we are having with a major brand, the topic of privacy and the handling of private users’ data is discussed. Of course, GDPR was the main trigger for these discussions. But today, now that the initial shockwaves have subsided a bit, it’s a good time to take a deeper look into the issue.
The purpose of this post is to explore how some corporations are adapting to this new environment where personal data is protected by law. In addition, we’ll explore the value of personal data, and offer some thoughts on how it might potentially evolve into some sort of currency
Rapid global changes in the protection governments grant personal data
On the 25th of May, 2018, the GDPR tsunami hit corporations all over the world. It wasn’t contained to Europe, and we started seeing more countries follow suit and push similar legislation (see The California Consumer Privacy Act of 2018). Why has this legislation sent (and continues to send) such shock waves around the world? Two main reasons come to mind: The first (and more obvious one) is the penalty. Companies who fail to comply can be fined for up to €20 million, or 4% annual global turnover – whichever is higher. This a crazy amount. Sales volume of online behavioural advertising placements in Europe fell 25–40% on the 25th of May 2018.
The second, perhaps less obvious reason, is that governments finally realize that personal data is a resource which has enormous potential value for certain companies. Personal data, like physical resources such as gas or oil, is scarce. It’s your own digital fingerprint. However, unlike physical resources, data can be infinitely replicated and transferred at 0 cost. This duality, of a scarce resource which can be endlessly replicated, is at the core of why governments needed to intervene. Without regulation, companies which hold your personal data can replicate it and sell it as many times over as they wish, since the cost of duplicating this information is zero.
How Corporations are Adapting to these new Rules of Engagement
One the initial GDPR dust has settled, we’ve been witnessing a few trends in how enterprises approach the issue of private data. The first is, of course, being aware of the cases they are actually handling private data. This seems obvious but many large organizations didn’t even realize if, where and how they were holding this type of data (a separate question of what is considered personal data, or PII, may be the subject of another post altogether).
A second trend is to collect only what is necessary to accomplish the job. In the pre-regulated era, as there was no penalty or restriction for collecting, storing or selling personal data, everything was collected. Today, companies ask why do I need this data and whether an anonymized version of it can yield the same or similar results.
Third, and perhaps most profound, is that companies understand that if they want to leverage personal information, they themselves need to request users’ permission to use it. If previously companies could buy this data from other vendors, today, they need to collect, handle and manage the permissions for this data themselves. Since GDPR states that users may request the removal from the company’s databases, the companies cannot sell the data since they will lose control over it. This has spawned or accelerated, a new breed of solutions, such as customer data platforms which the brands manage themselves.
So, why do companies go through all of this trouble?
One might ask if handling personal data imposes such potential risks and penalties, why do some companies go through all of this trouble? In short, the deeper the understanding a company has of their target audience, the better their sales, marketing and customer support efforts will be. They will be able to provide personalized messages, measure the impact of their messages, craft a better user experience and improve their overall ROI. Some companies need the full extent of personal info but most can still dramatically improve ROI with “declassified” data sets of their audiences or customers that hold no sensitive or PII types of data. These new regulations force companies to ask what they or their service providers actually need to fulfil their tasks.
Some thoughts on the future of Personal Data and how it could transform into a currency.
If we follow this path, which regards personal data as a protected resource, we could also see a day where users can monetize their personal data instead of giving it freely. There’s currently a vast information gap between consumers and companies. Companies understand the potential value this personal information has, while consumers are still giving it away. Once regulation has limited the collection and transfer of personal data, people can take back control, and leverage their data to get something in return.