All those emails on privacy mean nothing

If you’re like me, you’ve no doubt received hundreds of emails in recent weeks from organisations around the world wanting to update you on their privacy policies. They were all rushing to meet a deadline of Friday 25 May. While for most people they were just more emails for the trash, there was, nonetheless, an important reason behind them.

Friday 25 May was a watershed date. For most people around the world it seemed a day pretty much like every other. Except if you live in the European Union (EU) and tried to visit the websites of the Los Angeles Times, the Chicago Tribune or The New York Daily News. Instead of their landing pages, you’d have seen the message: "Unfortunately, our website is currently unavailable in most European countries."

This wasn’t a server error or a problem with undersea cables. This was a conscious decision to cut off a half billion-strong consumer market as the lesser of two evils. Big call.

The denial of service by the media websites and the emails you received hinted at the magnitude of the change coming for people and organisations, not just in the EU but across the entire world from May 25.  As of that date, the General Data Protection Regulation (GDPR) came into effect in 28 European countries.

This important economic block, which is home to 500-million consumers and citizens, now boasts the most robust data regulation in the world. While it’s triggered a fundamental shift in how personal data is collected, managed, stored and used, few organisations have grasped the enormity of the impending changes to the way they need to operate, and to how consumers and citizens can now control and access their own data.

In brief, GDPR means that any organisation, whether it’s Amazon, Google, a government, a small online retailer, school, hospital, football club and so on, must be completely transparent about how it uses personal data it collects. Consumers and citizens must give explicit permission for their data to be used or shared in any way, and organisations with more than 250 employees must hire a data officer.

This doesn’t just apply in the EU. Our transnational world means that even, for instance, a stamp-collecting club in Wagga Wagga with members in the EU must comply.  Failure to do so means a substantial fine: €10 million or 2% of global revenue – whichever is higher.

Dig a little deeper, however, and the true impact of GDPR begins to emerge.

Any company, regardless of where it’s based but which has consumers in Europe must now literally monitor, secure, manage and organise every single piece of sensitive data they hold, and in unprecedented detail. The same applies to any EU member state government. Organisations must now be able to identify and track individual pieces of data. They have to be able to identify who has accessed that data, where it’s been accessed, as well as when and how. And they have to respond to any consumer or citizen who wants to know how their data has been used in the past, or who wants their entire record expunged as part of the right to be forgotten. The organisational infrastructure needed to do all this is, in a word, huge.

So not surprising then that some large US organisations, like the LA Times, the Tribune and the NY Daily News, have already decided that blocking users is the lesser of  two evils – the other being complying with GDPR. This won’t help them, though, because they still have historical data on EU citizens, and must toe the line. And longer term, their business models rely on being able to monetise the data they hold.

The world of data has become so inextricably complicated that it is impossible to unravel where true ownership of data lies, and accordingly, who gets to claim ownership and privacy rights.

Take, for instance, a basic online transaction: A consumer in Townsville in Queensland Australia buys a spare part for her car online from Italy using an Australian bank-issued credit card on the VISA platform. The buyer, the Italian vendor, the Australian bank, and VISA aren’t the only parties to this transaction. There are multiple banks involved in transnational e-commerce; there is the hosting platform for the vendor’s website; the buyer’s email provider; the satellite services that transmit the transaction data; and various other parties. This simple demonstration reveals that every piece of data comprises contributions from multiple parties in many jurisdictions.

It also indicates that implementing a consumer’s right to be forgotten is a tangled web.

Identifying the ‘owner’ of data is a challenge yet to be tested by the authorities tasked with enforcing the new data privacy regime. It will be further complicated by having to abide by the GDPR as well as the relevant data regimes in each country where the various transaction elements occurred. It almost goes without saying that there could be significant differences between them. And we haven’t even touched on the emergence of non-jurisdictional transactions facilitated by blockchain and settled with cryptocurrencies.

In Australia, the advent of the open banking regime in July 2019 poses another raft of headaches, as bank customers will be entitled to greater access to and control over their data. In the next year, the banks – already grappling with a host of reputational, trust and operational issues – must implement a seamless process to facilitate open banking, accommodate GDPR, and have their arms around every country’s data regime in order to provide skeptical customers with full confidence in their data governance strategy.

It won’t stop at the banks. We already know that energy and telecommunications are next, and the ‘open data’ trend is likely to continue until it covers every aspect of the public and private sectors in Australia.

Don’t underestimate the size and impact of what lies ahead. It’s against this convoluted background that I contend that the last-minute rush to send out privacy emails is just a box-ticking exercise. It certainly doesn’t address the root of the issue, which is the security and sovereignty of data.

Why’s this the case? It’s because complex systems (including manual, human and complex technological processes) that have developed over many decades weren’t designed with privacy at their core, except in very rare instances.

One privacy email I received last week came from Mozilla, the creator of the Firefox browser. This paragraph in particular caught my eye:

“…unlike other organizations, Mozilla has always stood for and practiced data privacy principles that are at the heart of privacy laws like the GDPR. It feels like the rest of the world is catching up to where we've been all along.”

Mozilla appears to be among the few companies that had the foresight to bake data security into their entire business and operational model from the start, instead of applying a band-aid overlay that requires vast and expensive monitoring and reporting systems.  

Another company that took that approach is IXUP.

IXUP saw the new world data order coming several years ago, and came up with a simple, elegant solution that accommodates the rights of consumers and citizens regarding their personal information while also meeting the needs of organisations to monetise data.

Our patented software platform rests on the two pillars of the sovereignty and security of data. Consumers have confidence in the fact that organisations using IXUP don’t need to share their personal data in order to collaborate with other parties. Furthermore, they have the assurance that each element of that data is locked down with unique encryption, creating multiple layers of security.

With data secure from the outset and never, ever sharing it, the need for all the other belts and braces becomes redundant. Suddenly, complying with GDPR and other data security and privacy regimes becomes easy, simple and cost-effective. Organisations that tried to bring together disparate technology solutions to share their data just can’t provide enough band-aids to overcome the privacy exposures their systems create.

That’s why IXUP’s technology is different. Secure data. Trusted collaboration. By design and from Day One.

About IXUP

Founded in 2011, IXUP (pronounced 'Eyes Up') is an innovative data collaboration platform. The IXUP platform helps organisations gain significant time and cost savings by eliminating complex challenges around connecting data, derive deeper insights and knowledge to inform business strategy, and turn data into actionable insights. The platform’s unique approach to data collaboration enables organisations to gain a significant competitive advantage. IXUP is headquartered in Sydney, Australia.  For more information visit www.ixup.com

About Tim Ebbeck, Executive Chairman, IXUP

Tim has more than 30 years of business experience in a range of roles and industries. Previously he was MD of Oracle in Australia and New Zealand, and Chief Commercial Officer of NBN Co. Prior to NBN Co he was CEO of SAP in Australia and New Zealand. He is also a former CFO of SAP, Compaq, and Unisys and Investment Director in the venture capital industry. Tim has twice been a member of the Business Council of Australia (BCA) and is an inaugural BCA Women "C-Suite" Mentor.

Tim is a non-executive director of listed GeoOp Ltd (NZX:GEO) and a former director of Nvoi Limited (ASX:NVO). He is also a non-executive director of NextGen Distribution Pty Ltd and a trustee of the Museum of Applied Arts and Sciences in NSW.

Tim holds a Bachelor of Economics degree and completed a management program at INSEAD. He is a Fellow of CPA Australia, a Fellow of the Australian Institute of Management and a Graduate Member of the Australian Institute of Company Directors.

Media Contact

Amanda Vermeulen, Filtered Media

 0487017699

amanda@filteredmedia.com.au