There is a ‘data rush’ on and it’s taking on the look and feel of the ‘wild west’. Nevertheless, a new order is coming.
In order to access, process, and share data, enterprises must comply with many regulations (such as GDPR in Europe, CCPA or HIPAA in the US) and sign many complex agreements such as DPA or BAA. Besides, companies increasingly depend on SaaS services that frequently need specific data related to processing the company’s data and sometimes bring some new data for the company. In this background, it is worth asking: Who can manage the multifaceted web of data flows? How many companies care about them? Yet, when something nasty happens, all relevant parties have to bear responsibility for their actions.
Follow the data
“Follow the money” is a famous quote from the 1976 movie, All the President’s Men. It was the hint to the Washington Post’s investigative journalists to find those who were responsible for the Watergate scandal. Similarly, when a data breach happens nowadays, we can say, “follow the data” to see who is liable in the end. And it can be expensive for the responsible companies, as it was expensive for President Nixon.
Many companies are not sure what they are doing with all data regulations and agreements. Furthermore, they have a hard time evaluating the exact risk linked to these agreements and the data they use or share with third parties. The reality is that enterprises are more and more concerned about the liabilities that come with data.
We can simplify and divide companies into two categories:
1) Companies that just sign all data agreements and add all needed regulatory statements but don’t evaluate what they do and what they should do with data, and
2) Companies that diligently evaluate all these agreements and regulations but still have difficulty understanding exact requirements. As a result, they end up paying a lot of money to lawyers and security experts.
The first category of companies typically has comments from the executive team like, ‘don’t waste time with those stupid data rules; we need to do business.’ In a way, this is easy to understand. An enterprise might need to sign a few data agreements within a week when it uses some new tools or offers its own SaaS products. Executives are primarily concerned about data regulations that can freeze their business activities.
At the same time, they then start to operate with rapidly growing risks. It probably means lousy luck that a company encounters a data breach. However, when dozens or hundreds of other companies use your services, and you use dozens of third-party tools, and all these parties again use the same network as other services, the risk can start to increase exponentially. In the first case, one company has a data breach, and many of its service providers and customers are also contaminated.
It is fair to say it is impossible to get the risk to zero. You can decrease your risk significantly if you meticulously assess how to use other services, offer your product to other parties, and carefully evaluate which responsibilities you have. But this takes up a lot of your resources.
Finding a way out of the regulatory jungle
We can conclude that data sharing, third-party tools and data regulations and agreements are a jungle nowadays. Regulators try to do their best to help consumers to protect their data privacy. Yet, sometimes they also make the jungle worse. At the same time, many companies don’t follow the rules, and we see a very wild data business.
We can highlight several fundamental problems in the data business that are prevalent at the moment:
1) Companies can own individual’s data and trade it;
2) Many companies have very low competence and understanding of which data is beneficial to them and when it makes sense to buy or share data; and
3) Companies (especially marketing people and executives) over-estimate the value of big data and underestimate the intelligent use of that data.
This also means that regulatory and legal activities to get current data models working correctly is tricky. Regulators must run behind these wild businesses and limit the worst problems when those companies don’t even know what they are doing with the data.
We see startups that help enterprises better manage their data and privacy requirements and limit the exposure of data they have. There is a growing demand for these solutions. And it is easy to understand that this is a first step for companies to manage their risks better. We also see that the user-held data model is probably the long-term solution for consumer data. But it is a more significant step to take, and some companies need time to understand that it makes sense to all parties. We see now that these services are coming into use, especially in cases where a consumer can get real value from their data.
Data business is the ‘wild west’ just now, and the sheriff can catch only the worst villains. Villains don’t respect other people’s assets or property. When the border expands to the west, everyone learns to appreciate the idea that each person has rights to their land and assets and that it is too expensive to mess with the rules. Now, some executives can afford to ignore rules for a time and hope to be lucky. Nevertheless, a new order is coming to data’s wild west, and sooner or later, each company will have to learn to respect individual’s data rights and personal data ownership.