16 Nov 17

    Data democratisation and GDPR

    unlokq

    Your data is data about YOU, who you are, what you have done, or are doing. Where you have been, or what people and companies and organisations you have interacted with. What you have looked at and who you talk to online. Do you know where your data is, and who is using it?

    We need to know who owns this data, what they are using it for and how it is processed. That was the purpose of Data Protection act 1986 and 1998 and from May 25th 2018 it is the purpose of the GDPR (in the EU), and its equivalent Privacy Shield in the US. Nation states making decisions on how and when our data can be used by large corporations, and giving created authorities the teeth to punish those corporations if they use it in an unethical or unlawful way. This has got to be good, right? Well….kinda!

    If GDPR will do anything for us as individuals it will bring how our data is used to the forefront of our consciousness. But this will only be at the time when we tick that box to provide our consent that the data can be used (for that subset of data that requires consent). But this may be a one-off transaction with a company, for a loan perhaps, and once that load expires the consent is forgotten (by us), but the data can remain with that company for a number of years after the loan has expired. Even more casually we might sign up for a warranty on a purchased product and immediately cast aside the use of our data, which might be used for a significant length of time by that organisation.

    There are other types of data about us too, for example, those cases where we implicitly agree to our data being used by companies registering that the use of our data is in their interest, in order that they can provide products that will make our lives better, this level of altruistic behaviour by large organisations is seldom seen without any level of scepticism. Data such as our browsing history, what products we browse, where we have been.

    So let's extrapolate that into one possible future. Rather than taking affirmative action on whether our data can be used and then it disappearing into a black hole where it is never seen again. Why don’t we take responsibility for our own data and control it ourselves. We choose where, or with whom, our data is stored. Corporations can register with that entity if they wish to consume that data. How would this work? We need to separate the data from the transaction. For example the website where we view products does not store the data itself, it passes the data to a storage entity trusted by that user. The interested party can subsequently register to access that data to see whether the user has authorised them to use it, rather than the default mode being; “If I want it, I will collect it, and therefore its mine” even if the data is about YOU

    But what are these storage entities? Organisation acting as ‘data holders’, they neither own the data, or process it. They are organisations we trust to keep our data secure and allow only reputable organisations with a clearly defined need access to it ​Ref: People don't trust Google and Facebook. We may choose to keep different types of data with different data holders (health, finance), or we may choose not to share our data at all. After all, it is only useful to share our data if we think it will improve our lives as individuals, if we believe this not to be true then we simply choose not to share all, or some of our data. If this sounds a little familiar it is one application of Tim Berners-Lees concepts for a free web, and there is work underway to provide this kind of structure through his Solid project.

    For those of you that think this all sounds like too much work then you might be surprised to hear that you probably do something very similar already. You use your social media account to gain access to other applications (even though you may not trust them, see above). This means that you have granted authority for those applications (no doubt on your mobile phone) to access certain credentials, and other information from Facebook, Twitter, Google to be shared with that application. Why you accept this is not just because it makes your life easier, but because you know that somewhere within Facebook (et al) you can remove this access, even if you have never done it (yet!).

    This is whats missing from the current GDPR-esque system, there is no way to unshare anything. Once data is in the wild it is there to stay, and in fact data can be passed from corporation to corporation, from data owner to data processor without our knowledge or consent, with no register of where our data actually is, what has been collected or how it will, or is, being used.

    Once it is in the wild it is in the wild, roaming free, or better stated gathered, duplicated, merged, filtered, sorted, processed until it may be barely recognisable from the original data we submitted. There needs to be a central repository from which you can find out what organisations are using your data, and how. Central in this case meaning a number of possible organisations providing access to the same (type of) data through an immutable ledger, sounds a little like an opportunity for a blockchain type system for data, right?

    Are you ready? Cos this IS data democratisation! This is returning the responsibility of data back YOU. Whether you are an individual or other entity creating data.