GDER Anyone?
I was asked to give a talk last week on how I thought the ‘data intermediaries’ space would evolve over the next few years. I used the diagram below to frame the discussion. It seemed to make sense to those in the workshop; so thought I might as well re-cycle that into this post and share more widely.
In short what i’m saying in the diagram is that:
- Box 1: The current model, largely centred around surveillance capitalism and its public sector counterparts, is very broken, and we need to move beyond that for many reasons.
- Box 2: The first variant of human-centric personal data services (intermediaries); i.e.. those personal data service providers whose offering is primarily cloud based is a good thing, but struggles to scale.
- Box 3: The second variant of human-centric personal data services; i.e.. those personal data service providers whose offering is primarily device based is a good thing, but struggles to scale.
- Box 4: The top right/ target box emerges when we move beyond the other 3 (which we will because of how badly broken the current situation is). What is up for debate is the pace, scale, scope and geographic focus of that change.
In terms of how best to understand that change, much of the discussion in last weeks workshop was around the difference between GDPR and my hypothetical GDER. My theory is that GDPR is a decent first attempt at a general protection regulation, albeit held back massively by lack of enforcement. But that a focus on protection is a different set of requirements from a regulation whose primary goal was to empower people with their data. The key points to take onboard about an empowerment focus are that:
- Protection is ‘table stakes’; the need for that does not go away in the slightest
- If we want to genuinely empower people with their data, we need to move beyond the model in which they are always seen as a subservient piece of the jigaw:
- The client that can only do what the server allows it to
- The consumer who eagerly awaits organisations making their offerings available for them to consume (we are also citizens, employees, entrepreneurs and generators of huge volumes of data)
- The data subject who has rights, which are so regularly and easily ignored
- Data empowerment is about making things happen, safely and enabling people to get their ‘jobs to be done’ as efficient and effective as possible’
So, my thesis is that we need to work towards a hypothetical build on top of GDPR which a) does not limit or water down the necessary protections, but b) is absolutely about empowering people with their data. I’d call that The General Data Empowerment Regulation (GDER) because it would need to be as broad in scope as its protection-focused cousin.
Here’s an example of what I mean from a very interesting project i’m working on at the moment around ‘powers of attorney‘. Powers of attorney typically are around an individual enabling one or more others to take decisions on their behalf in the event of the first individual losing capacity to make their own decisions (temporarily or permanently). Sadly this situation affects one in 3 of us at some point in our lives. It can cause huge amounts of stress at what is already typically a stressfull point. They can be expensive to put in place, time consuming, and they are full of liability issues for organistions who are part of the mix (suppliers to the individual who loses capacity). The ‘Forethought’ project i’m working on, led by Margery McConnell, seeks to make the various processes around powers of attorney easier to access, less expensive and easier to use for all involved. Given the scale and global nature of the problem that could be a big opportunity for improvement. Much of that opportunity comes from better availability and handling of data and the ability to prove things in a digital environment (identities of the various people and organisations involved, access to/ confirmation of assets, and confirmation of capacity status). I’ll no doubt say more about that down the track, but for now it provides a good illustration of the difference between a data protection oriented approach and the more evolved data empowerment based approach.
In the Data Protection mode, the story is akin to ‘even though we can see the importance of the issue, that’s seriously sensitive data, so tread warily/ move slowly; be risk averse and don’t digitise things any time soon’. That mode is why none of our key personal, but government issued credentials, (from birth certificate to death certificate) are as yet available in digital formats. And the regulations surrounding them prevent digital twins being made (although that is somewhat unclear, not least because the regulations relating some of these core documents dates from 1953). In Data Empowerment mode, I would suggest that would be ‘We can see the importance of this issue. It clearly involves very sensitive data. But provided all data protection processes are implemented to a high standard then go ahead and digitise so that these capabilities can be made available to more people, at lower cost, saving huge amounts of time.’
We’ll see what emerges around a GDER…; there are at least some moves in that direction such as the EU Data Governance Act, work on EU Data Spaces, and a whole raft of activity worldwide on digitising at least some government issued credentials, mainly driving licences as a low hanging fruit start point.
Meantime, i’m happy to see this ESC (End Surveillance Capital) initiative pop up, which may hasten the demise of the my box 1 in the diagram above. No doubt more on that to come too down the track….