Can I Own My Data?

(Cross post from Right Side Up)

Ownership sounds like such a simple idea…..

At first glance, the ownership of “my” data seems straight forward. I created it (or at least was involved at the beginning), it’s about me, so I own it. But personal data is a slippery concept. For one thing, a lot of the time it’s co-created – by me and my supplier, including my government. And tying down the legal specifics of data ownership is a bit of a minefield. Hence the recent and continuing debate on the Project VRM mailing list about whether an individual does, can or should ‘own’ personal data relating to them.

I take the view that individuals will ultimately have a form of ownership rights to data that relates to them. So far so good, but the word “ultimately” there is important, and frustrating. This will take some time to happen, and will relate to only some of the data in question. My view is that ‘ownership’ of personal data will come about through a combination of issues and events; and that this will all pan out over the next few years.

Firstly, the sensitivity of individuals to problems with firm’s use of data is rapidly increasing. The way most organisations gather and use data is often invisible to the individual, and almost always annoying to them. For one thing, there are regular and sizable breaches in data security. One example is the TK Maxx breach – which has now doubled in size from that originally admitted. Plus there’s a growing identity theft problem, with little sign of a solution in sight. And as we all know there are ongoing problems with spam to compound the everyday irritation of poorly targeted, invasive direct marketing. In the same ‘worrying’ space are large corporate acquisitions or investments (e.g. Flickr/ Yahoo or Facebook/ Microsoft) in which access to identity data initiated by and important to the subject are traded for a few dollars per record.

This increasing pain, without legal recourse, will drive some firms to offer commercial services to reduce that pain. These will include ‘who has data about me’ services such as Garlik, reverse-marketing services such as Pureprofile, transparency enablers such as The Trust Index (disclosure – this one is one of my hobby horse projects) and some plays from more traditional players in the personal data space such as Experian, Equifax or CallCredit. All are now beginning to explore how they can sell personal data back to the data subjects.

Another driver will be data breach notification legislation. It will be deployed in the EU and in many other countries. I expect it will be watered down, and won’t do too much in practice to change the accessibility of stolen customer data. The going rate, by the way, is £140 for 1000 credit card records – with security codes – or so I heard the last time I checked. But no matter, such legislation will at least build some additional legal rights on the side of the individual in the personal data space.

Next, opt-in-based direct marketing is going to become the norm across ALL communications channels – upping the value of ‘permissions’ data. This will be a sensible approach for large organisations to adopt commercially, largely for environmental reasons. And user-centric identity technologies (such as open ID, Infocard and i-names) will start to become more popular. They’ll impact b2c (or more accurately c2b) electronic relationships. People will want to restrict the flow of personal data into organisations, though people will see a clear trade off in offering personal data to get improved customer experience.

Meanwhile, the next generation of personal information management services will emerge. These alternative ‘single views of the customer’ will be available for organisations to tap into — with permission, and usually at a cost. This will be the trigger point for real change. For the first time, data sourced FROM an individual will be more valuable commercially than data gathered ON an individual. In practice, this is about “pull”: the commercial value of these new data sources comes from the higher response rates that come from the much improved relevancy of communications. ‘Pull’ beats ‘push’ every time at the micro, one-to-one level.

When this new value is created within the PIMS, commercial law swings into gear. Individuals and suppliers will build robust contracts around these new services and at last, we have something akin to ownership of our personal data.

In short, the point at which I will ‘own’ my personal data is the point at which I can actively manage it. If I have the choice over whether to sell it to someone, and can cover that sale with a standard commercial contract, then I clearly have title. But – and this is crucial – this doesn’t mean that I ‘own’ all the personal data that relates to me. Lots of it will still be lying around in various supplier operational systems that I won’t have access to (and probably don’t want to – much of it is not worth me bothering about).

Technically we can just about do this now. As ever, I think we’ll have to wait a bit longer for all this to build a mass market for personal data ownership and management. That said, I think we’ll start to see little signs of life in this space over the next 12 months. Watch, as they say, this space.

Talking of which, do any of you database marketers out there want to buy my ‘intention to buy’ data for the next 6 months? I’ll break it down by product / service category, add likely purchase dates, indicative amounts and existing preferences of various types… and send it in a format that feeds straight in to your CRM system. £10 per category for a one off use, and I can GUARANTEE that my data will be more predictive of what I’m going to buy than your own analysis or what you can buy in from other external data providers.

Iain Henderson

Some Useful Research

Here’s some useful input from Experian; we’ll be looking to take this down several evels of detail with The Trust Index over the next few months.

Consumer threat to blacklist unsecure brands

The majority of UK consumers have threatened to go out of their way to spread brand-owners data protection failings, following a sharp rise in firms failing to keep personal information.

According to a new study by creditexpert.co.uk how businesses store and use personal data is a crucial factor in whether a person is likely to buy from an organisation or not.

Sixty-five per cent of respondents in the survey claim they would not buy again from a company that did not keep their personal information absolutely safe.

The survey also found that car dealers are the organisation consumers are least likely to trust – 46 per cent of respondents would not rely on them to keep personal data safe, closely followed by insurance and Internet companies.

Google Calls for Global Privacy Laws

This is nice, no sooner do we get The Trust Index up and running and Google kindly set out the case for it – albeit indirectly.

Yes, there is a need for a global approach to privacy standards. But that won’t happen for a long time – too many vested interests. In the meantime The Trust Index will do what it can to bring transparency to the current mess.

Interesting however that Google point to the APEC guidelines – not setting the bar very high as this article points out.

The Trust Index – Introduction

Welcome to The Trust Index – a VRM (Vendor Relationship Management*) tool that aims to help individuals differentiate between organisations that they should trust with their personal information, and those who they might not be so comfortable with.

* VRM, or Vendor Relationship Management, is the reciprocal of CRM or Customer Relationship Management. It provides customers with tools for engaging with vendors in ways that work for both parties. CRM systems until now have borne the full burden of relating with customers. VRM will provide customers with the means to bear some of that weight, and to help make markets work for both vendors and customers — in ways that don’t require the former to “lock in” the latter.

The goal of VRM is to improve the relationship between Demand and Supply by providing new and better ways for the former to relate to the latter. In a larger sense, VRM immodestly intends to improve markets and their mechanisms by equipping customers to be independent leaders and not just captive followers in their relationships with vendors and other parties on the supply side of the marketplace.

The chart below shows a sample output from the Trust Index – showing an overall Trust score and then the breakdown by component parts.

ti-output-for-wordpress.gif

Project VRM

(Cross post from Right Side Up)

Here’s a new project with complementary aspirations to BCCF.

Project VRM (Vendor Relationship Management) is coming primarily form a technology/ digital identity start-point. It is sponsored by The Berkman Institute at Harvard and led by Doc Searls, Senior Editor at Linux Journal and Co-author of The Cluetrain Manifesto.

Nice to see the convergence between the technologists and the customer management practitioners bringing this space closer to reality.