GDPR: Who really owns the data

Image: Shutterstock

On May 25th, 2018, a landmark regulation came into effect, that will potentially transform the data rights and harmonise data protection across all states in Europe. This is bound to have a significant impact of how data is owned, managed, used, accessed and shared by companies. So, the key question to be answered – in an increasingly digital world, who really owns the data?

Data privacy and ownership conundrum
The debate over data ownership & usage of this information by online firms has been there for many years now. Tim Cook, CEO of Apple, in a rather famous interview, mentioned that Apple’s business model, unlike other firms like Google, Facebook and so on – is about selling physical products rather than capturing data about customers. The Facebook Cambridge Analytica fiasco is a testimony to the misuse of personal data held by many of these online unicorn firms. Over 87 million documents of personal data about customers was allegedly shared by Facebook to influence people during the election. Google’s privacy policies mention –

“…We collect information to provide better services to all our users – from figuring out basic stuff such as which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online or which YouTube videos you might like.. We also collect the content that you create, upload or receive from others when using our services. This includes things such as email you write and receive, photos and videos that you save, docs and spreadsheets you create and comments that you make on YouTube videos….”

Amazon again mentions in its privacy policy that they use personal information to personalise and improve customers’ shopping experience.

So clearly, massive zetta bytes of personal data collected by these firms – both purchase and behavioural is used to effectively to either personalise advertising or used to personalise and recommend products for shopping and any other commerce related activities.

So, clearly the question to ask, if personal data is owned and used without the explicit knowledge or permission of the user, is not a violation? Or more simply put, are you the owner of your own personal data and do you have the right to give permission to let others use all this data?

Data ownership – Empowering the customer
What General Data Protection Regulation (GDPR) has effectively done is that, it has transformed the power of data ownership in the hands of the customer. Therefore, a company or a website or service is deemed a violator if it extracts and processes personal information without the permission of the customer. GDPR defines any data as personal data which identifies a person directly or indirectly which includes:

» Personally identifiable information (PII) incl. name, address, phone bank details, location. » Data like IP address, cookies or even a customer post or a tweet and so on.
» Even data IDs that can be worked backwards to identify a person such as raw IDs, ‘anonymised data’ and so on.

Therefore, how does it empower the customer about their own personal data and usage?

» Right to be informed: Provide detailed information about who is collecting and processing personal data.
» Right of access: Individuals can seek confirmation that their personal data is being processed and can request a copy of all their information free of charge.
» Right to rectification:  Individuals can seek rectification of inaccurate or incomplete information and it is the responsibility of the companies to share it with third-parties who they had shared with earlier.
» Right to erase: Individuals can withdraw their consent and request deletion of their data when there is no legitimate reason to process it.
» Right to restrict processing: Individuals can exercise the right to restrict the processing of their personal data while it is still stored with the processors.
» Right to data portability: Individuals can obtain their data from their processors for their own use or use it across other services.
» Right to object: Individuals can raise an objection to their personal data being processed, if they have a compelling reason.

As you can see, there is a transfer of control of personal data back to the customers and it provides all the flexibility to customers, as they are rightfully the owners of their own personal data and it gives them all the right to share the personal data with service providers who they would want to do business with or stop doing business with.

Customers as data owners
We are moving into a new era where personal data ownership will move back to customers again. The transition is not expected to be smooth and rapid. Customers will start demanding for their digital rights and digital asset ownership. It will become the prerogative of customers to share data on what they search, what they buy, what they share, what they email or what photo they upload etc. One can foresee a future where every customer will own their own ‘digital locker’ where their personal, behavioural data is stored and refreshed every day. They will have the right to provide access to the digital firms on usage of this data for personalisation, recommendations, consent-based advertising, contextual content or media access etc. based on permission rights provided by the customers.

GDPR has started the data ownership revolution across the globe and it is only expected gain more momentum in the future. Finally, nobody else can own a customer’s personal data or information. It must be retained by the customer and she will have complete right of ownership of this information.

The author is a Co-Founder & CEO of  Hansa Cequity, a leading customer & data-driven marketing company out of India.

The thoughts and opinions shared here are of the author.