Saturday, 14 May 2011

The emerging “science” of data protection

During a recent meeting of data protection aficionados, held under “Chatham House” rules, a phrase emerged and was increasingly repeated - and as it had an ology in it, I guess we’re increasingly embracing “data protection” as a science, rather than an art.

Wikipedia differentiates science and art as follows: Science is enterprise that builds and organizes knowledge in the form of testable explanations and predictions about the world. Art, on the other hand, is the product or process of deliberately arranging items (often with symbolic significance) in a way that influences and affects one or more of the senses, emotions and intellect.

In the early days of data protection, the main emphasis seemed to lie with the phrase no sneaky stuff. Transparency was the order of the say. Not necessarily choice, but transparency. Organisations had long privacy policies which explained what consequences would follow when someone shared their personal information with that organisation. So the "art" of data protection lay in getting individuals to feel better by being reassured about what was going to be happening to their personal information.

These days, the emphasis has shifted from transparency to choice and control. In other words, generally, these days, organisations behave ethically by more actively engaging with the individual in the hope that those individuals will want to share more information which is personal to them for something which will directly (and very quickly) benefit them.

What was this phrase that has caused me to cast off my artistic rags and espouse my scientific credentials (like the Doctor who first used it during the meeting)? It’s this one: the ecology of compliance.

What does it mean?

To my mind, what it means is that we are entering a world where individuals are increasingly aware of their rights, so organisations face a new set of challenges.

In the “old days” generally, most individuals didn’t really give a stuff about data protection, so the Data Protection Regulators felt that it was they who were charged with keeping organisations in line, in the general interests of society as a whole. This can be contrasted to today’s world, where individuals are increasingly aware of the advantages (and disadvantages) of having their personal details shared with other organisations, in a way that provides them with good stuff and bad stuff. In my mind, this emergence of knowledge is catching some Data Protection regulators unawares, as there is, in some EU Member States, a bit of a battle emerging. Some Regulators seem less willing to realise that individuals are now better able to make decisions for themselves. But if an individual is to be empowered to make the decision on their own, then there’s less need for the Regulator to make that decision on their behalf. And some Regulators don’t appear to like this challenge to their authority – and reason for existing.

And where does this leave the organisation?

Increasingly, it appears to leave them between a rock and a hard place.

Just as servants find it hard to serve two masters, organisations can find it hard to meet the expectations of both the regulators and their customers.

Instinctively, the organisation would really want to concentrate on the meeting (and exceeding) expectations of their customers. After all, if they don’t attract customers, they generally find it awfully hard to remain in business. So, when the regulator imposes rules which make it harder for the organisation to engage with their customers, sparks will fly. And that’s a direction I think we’re in danger of heading in.

Do I have any evidence of this difference of emphasis between customers and regulators? Well, let’s consider what’s going on in Germany and Switzerland at the moment. My German and Swiss friends like Google’s Street View Service. Well, they do when they come to visit me in London. They’ve already seen a picture of my home, so they know what to look out for, and what landmarks will appear as travel to my place, to pop over for tea. If only they could have something just like that where they live, they tell me. But they don’t appear to be allowed to.

Well, I reply. Don’t tell me – tell the folks back where you live – like Swiss and German regulators, whose job is sometimes made extremely difficult by national Parliaments who have created rules which don’t appear to meet the real needs of their citizens of today. Is pragmatism a dirty word? It’s not a dirty word in the UK, but then again not everyone shares such common-sense attitudes. There could be a few too many “jobs-worths” elsewhere.

Anyway, back to the plot. My main argument is that organisations are going to increasingly have to get their crystal balls out and predict the likely consequences of their actions with greater accuracy. Fines, civil penalties and public undertakings (which all run the risk of reputational damage) are becoming increasingly common. And budgets are tight, too. But they want to provide things for customers in such a way that they’ll make repeat purchases, so that the companies can provide their staff, when that day comes, with decent pensions.

So how do organisations assess the risk of regulatory action with the risk that their customers will have a less than optimal experience, because the customers are smothered with unecessary protective measures? And how do organisations assess the risk of regulators feeling required to create safeguards that lots of customers care about not one jot? (Or, even worse, resent?)

Déjà vu – it sounds like the health and safety debate all over again. So, in future, we’ll all probably spend more time wearing our risk assessment hats, and working out, scientifically, when the risks of providing services to knowledgeable customers are outweighed by the costs that can be imposed when organisations are caught breaking outdated rules.

Image credit:
Today's image is quite special. It's taken from a page of Charles Darwin's notebooks around July 1837, showing his first sketch of an evolutionary tree of life. The words I think, in his own handwriting, is some of the earliest evidence that he was developing his theory of evolution.