Looking for the missing part of GDPR: a ‘soft infrastructure’ for sharing your data
Shikko Nijland - Managing Partner INNOPAY
Douwe Lycklama - Founding Partner INNOPAY
GDPR mandates that organisations must provide consumers with increased levels of visibility and control over their personal data. But this data is already fragmented across the farthest reaches of the internet, and the long-term needs of neither consumers nor corporates will be served by the implementation of local dashboards and consent management apps by each player in the chain. INNOPAY proposes a collaborative approach to solving this challenge which will deliver convenience and control to consumers, and both GDPR compliance and new business opportunities for companies.
Data consent and sharing can be solved with proven solutions
Pollution of our oceans quietly crept up on the world, scarcely noticed by most of us until our eyes were opened to the widespread contamination of marine life which will only be resolved by systemic changes in waste management. The fragmentation of personal data can be understood in similar terms; we have gradually created an endemic problem which has recently been spotlighted by our growing understanding of the value of personal data. Now we need to work together to implement a new type of collaborative solution which can been seen a ‘soft’ infrastructure as it does not involve physical elements per se.
GDPR provides a strong regulatory response to the challenge, with its focus on handing back control of personal data to consumers through stricter controls. Even though consumers have additional powers of control, many people will find the process of managing and sharing fragmented data across multiple organisations both complex and time-consuming, if possible at all. Data sharing and consent is the next ‘many to many’ problem resulting from digitisation of transactional services. Other examples are internet, GSM, payments, digital identity, electronic invoicing and EV car charging payments. All services powered by a ‘soft’ infrastructure leading to ‘many to many’ interoperability.
So the challenge is to provide a context in which this new-found ‘many to many’ control becomes practical and manageable. And the answer is unlikely to be provided by single repository 'data vault' solutions due to the significant administrative overhead and the additional risk of single point of failure.
The solution lies in collaboration on a practical level
Instead of attempting to centralise consumers' data, the Digital Key Box principle leaves the data at source, and focuses on providing aggregated access and management of that data. In practical terms, it will provide consumers with a simple and effective means to manage consent and allow data sharing across organisations. And if implemented properly and adopted widely, it will also create significant commercial opportunities for businesses, whilst simultaneously ensuring they are fully compliant with GDPR.
The concept has an elegant simplicity. As a consumer, you have already provided data about many aspects of your personal and professional life to multiple organisations, such as your bank. So a key box at your bank, telco or insurer, in which a separate digital key is associated with each personal data attribute, could provide a perfect hub to control and manage your data. Also data residing at other sources. When a 3rd party requests your data, for example an insurance company needing personal details to provide a quote, you simply give consent with bespoke conditions (eg reason, number of uses) to use the relevant keys to unlock access. If at any future time, you wish to revoke the 3rd party's access to your data, you simply withdraw the digital key through the dashboard of the key box. From the consumer's point of view, the system can be made easy to use and provides the level of control envisioned by GDPR.
Not moving strengthens digital incumbents
Commercial organisations will also benefit from the Digital Key Box concept. A new role of Consent Manager is rapidly beginning to emerge, and several (start up) companies (e.g. Verimi, Digi.me, Meeco, Trunomi, Mydex, Peercraft) strive to occupy this central position in consumers' lives. Most of the actors endorse the need for interoperability and several EU Horizon initiatives can be expected to address this topic. The Qiy Foundation advocates for such an interoperable infrastructure for personal data already for a decade. The recent iSHARE data sharing initiative applies similar infrastructure principles but is wholly focussed on business to business data, launching in the logistics sector in 2018.
Big data organisations (GAFAM) have the head start as they already offer comprehensive dashboard services on the data users have shared with third parties. In the ‘permissions’ screens user can actively manage consents given, e.g. when logging in with an existing account. Such solutions should also become part of the ‘soft’ infrastructure, instead of them becoming THE infrastructure.
Companies holding personal data will also be able to create new relevancy for their customers, not only by providing effective hubs for managing access to personal data, but also by using the new levels of trust which consumers will experience. If a consumer feels secure in the knowledge that he can effectively control his personal data, he is more likely to consider offering that data more widely, and enriching basic data with additional information about personal preferences. So by offering incentives, companies will be able to access far greater volumes of relevant and marketable data than in the past. And in a world where data is emerging as the new global currency, and digital transactions are at the heart of everything we do, this will open up significant new opportunities for insightful organisations.
Guiding the way forwards with trust and cooperation
A so called ‘soft’ infrastructure is required to facilitate the Digital Key Box scheme, just as with any physical infrastructure system. We don't build rail or road networks for only one town; we create one consolidated system which serves all users across a country and even national borders. We propose adopting the same principle with personal data sharing and consent management, just has been done with e.g. internet, GSM, payments, digital identity and electronic invoicing.
In practice, this requires the co-creation of a framework of agreements across various technical, functional, legal, business and organisational domains. A trusted technical infrastructure would need to be established to allow key boxes to communicate. Agreements would be required across a wide range of stakeholders on fundamental issues such as the appropriate parameters of consent management. The challenges are significant but certainly not insurmountable. INNOPAY has a wealth of experience of guiding and facilitating these types of schemes, and bringing together coalitions of key organisations to co-create solutions which are driven by the sectors and industries which will deploy them.
To discuss how the Digital Key Box principle can solve data sharing challenges and create new business value for your organisation, feel free to contact us at firstname.lastname@example.org.