Cocooned in the private dining room of our favourite round-table haunt (Riding House Café plug) whilst feasting on the muesli, kedgeree, waffles and coffee our panel of data leaders chewed over the topic of (1) GDPR and (2) tech stack consequences.
1. GDPR – sense & sensibility
- Is it possible to be GDPR compliant?
- Can you be too GDPR compliant?
- Do the public care or just not understand?
- Is it a waste of time?
- What are the positives?
100% compliance to GDPR (General Data Protection Regulation) is not possible. It’s a continuum, a choice about the acceptable level of risk. Where you put your flag in the ground varies depending on your industry, who’s calling the shots and your pivotal experiences.
Where are we at now?
Internal and external open communication should be an important aspect of company policy and transparency is a way to win trust over the long term. That includes speaking in plain English, the less legalese the better. That is improving but still not a reality in practice.
Research says that the big green “I Agree” consent button is hit 98% of the time without any further reading and some websites have substituted it for a “Whatever” button. Regardless, companies have no choice but to add one. In most cases, the information or service is seen as valuable enough to risk data ‘misuse’, whatever that might mean. But it’s difficult to tie in the data being given away to the consequences. Once the button is clicked people don’t understand what their data can be used for.
On the flip side, the view that companies collecting personal data know absolutely everything about you is false. The reality is that most are clueless. Most frustrating is that whilst companies are collecting lots of data about us, it’s not being used properly e.g. poor recommendation engines.
So, have internal conversation reached a more sophisticated level? No, it’s just that there’s less focus on it now. GDPR compliance is now seen as a box that’s been ticked. Panic only sets in when a customer challenges compliance. It’s then handed to legal who don’t understand the architectural difficulties of the corrective steps.
Dealing with GDPR
Individual companies have dealt with GDPR very differently. Some early policy decisions, such as a stipulation that certain data is only held for 8 weeks, have now been baked in and “made a rod for our own backs”. Others take the view that data should be split between PII (personally identifiable information) which should be under triple lock – and the rest which can be openly accessible to analysts who only need access to a small percentage of the data. That way data is far more controllable and manageable – but probably only works if you have good data governance in the first place.
There are still many challenges and questions, some of which were highlighted;
- Legal and PR concerns slow down development of new products or services
- Customers inadvertently provide private data, especially in free text and voice to text conversions. It costs a lot of money to separate out that data
- Identifying and dealing with the semi PII data that takes work to turn in to PII is very challenging
- The charity sector in particular has been paralysed by the need for explicit (re)consent for donations
- Some teams are much more aware of privacy issues than others. Should you deal with GDPR decisions centrally or train everyone?
- The ICO (Information Commissioner’s Office) never give full sign off … they always include vague caveats
- Internal stakeholders are often lacking in knowledge, so you need to paint pictures in very simple terms and educate people … but that’s our job as data people
In practice, legitimate interest (~no need for consent if you have it) is seen by some as a get out clause. With no real guidelines, it’s easiest just to fill out the assessment and get on with life. It almost feels like a game, instead of trying to do the right thing. In practice, you just need to demonstrate that you’ve made ‘best efforts’ or as one leader advised – don’t spam people and they won’t complain … and then the ICO won’t investigate.
The Regulations aren’t going to change substantially although some further government intervention is likely (new report published 5th Feb 2020).
In terms of current public perception, unintended consequences like over exposure of data sharing is still a problem – like Google Maps suggesting your journey to a destination that you’ve not asked for. 2nd & 3rd consequences of clicking OK on data sharing are buried in the terms. By 2021 we will be living in a 1st party cookie world. 3rd party cookies are already being ditched (Google and Chrome). This is leading to more direct engagements, like subscription models in media products.
From a technology point of view, GDPR has had some very positive consequences. One data leader described their scenario – “it means teams have had to work closely together. Teams are now structured in a way that makes more sense (e.g. product teams), more transparent and Agile. New policies have refreshed our minds about how we work. Its taught us to think more creatively.”
2. Tech stack – choice, culture and tension
It seems that there are plenty of things to get frustrated about when it comes to the tech stack decisions that businesses have made in the past and are making now, but a lack of choice is not one of them. As one of our data experts commented, Big Data London was like going into a massive (bewildering) candy store. The vexation felt is much more to do with who gets to choose, who should be choosing and the agenda behind the choice.
From the discussion, there was an initial obvious split between traditional corporates and nimble / start-up companies, but we also had an example of a 150 year old corporate with a plethora of legacy systems and policies but a very progressive story to tell.
All round the table agreed that there needs to be an element of control, especially as far as infrastructure is concerned. This is probably best carried out centrally to maintain coherence, most obviously by IT. However, when it comes to the front end, it’s best to give as much freedom as feasible to the people who will be using the stack. But there is a conflict. For instance, all marketing people are desperately seeking better and faster insights about their customers, but IT tend to think long term, in years.
So, where IT do get involved in decisions about the front-end, it seems that delays and costs rise rapidly. In one example, a £10 per month cloud solution was identified where IT had suggested a £30k on-premise purchase and in another where a decision had taken so long that 2 years down the line choices were still being debated (nothing new there). To add to the tension, cloud solutions are now enabling fast moving teams to circumvent ITs control at low cost, sometimes not even telling them about it. That said, it’s surprising that for many, cloud is still in its infancy in terms of being useful and usable. Either it’s a mess, too restricted or not in place at all.
We heard stories of CEOs making choices on the golf course (shock horror) and IT blocking all technical suggestions as policy (allegedly!). The most positive story involved a restructure; new product teams act like small start-ups, with a suite of skills, input from stakeholders and shared responsibility to deliver a longer term agreed KPI (‘retention’ in this example) and short-term deliverables in an Agile methodology. Infrastructure is mostly determined but the choice of front-end stack engenders creativity, buy-in and delivery. It was noted that this was not a company wide big bang approach but rather a small-scale success that encouraged others to want to join in.
There is no utopia. As always, communication and support from on high is key, alongside a data strategy that assists the business strategy to succeed.
Thank you to our Data Leader, Janet Bastiman for chairing the event.