What do you really know about how organizations protect your private information?
Perhaps you don’t think about it that much. Your data has become such a commonly-traded commodity that most people couldn’t make it through an average day without giving their private information to at least a dozen organizations.
Let’s examine a simple daily routine. I’ll bet I can count at least 12 times you gave away your private data in return for a product or a service – perhaps many times, without realizing it.
- You told your voice-enabled Echo to set an alarm for you to wake up 15 minutes early. You just told Amazon when you’re awake (and ready to receive advertising offers).
- Over breakfast, you check your “work” email account. You just told your company’s IT department that you’re on the clock.
- You decide to take public transit into work, scanning your transit card when you board the bus. You just told the transit authorities you’re a passenger today.
- You use your Starbucks card to buy coffee. You told Starbucks what you ordered, and how that’s the same thing you ordered each day for the past week. Perhaps you’re ready for something different?
- Oh, by the way, your Starbucks card is loaded on your Google Pay app. Now Google knows your coffee habit as well.
- You scan your work ID badge when you enter your building. Now your boss knows you’re on site…and that you’re a few minutes later than usual.
- You use a company credit card for lunch. You told the credit card company (and your employer because it’s a corporate card) that you ordered the fish and chips instead of the salad. (Your health benefits administrator might catch a glimpse of that choice as well.)
- You spent 15 minutes on your LinkedIn app scrolling through job postings. LinkedIn knows you’re open for new job opportunities…and if you used the company’s WiFi, so does your boss.
- You worked late (which your employer knows, by the way, because of your exit badge scan) and missed your bus. You decide to take an Uber. Now Uber knows where you live and work.
- At home, you log into Facebook before dinner and post a photo of you and a bottle of wine. That’s the fourth “wine photo” this week. You’ve just told Facebook’s algorithm that you might have a drinking problem. In the meantime, you’re likely to see more alcohol advertising.
- You decide you can’t find anything at home to eat and get in your car. Most modern cars are equipped with GPS tracking. If you happen to get into an accident because you were impaired, the car can notify authorities…and if a judge okay’s it, they might also look at those Facebook “wine” posts.
- But let’s assume you’re back home safely and launch Netflix. Now Netflix knows that you spend 2.75 hours per day (on average) watching television.
I could go on, but I think you get the idea. Most people think the only time their “private” data moves around is when they run their credit card. Perhaps they also realize that their smartphone tracks location data. But few people stop to think about the vast and complex digital trail they leave behind every day of their modern lives.
Put more crudely: the story of most people’s digital lives reads like a scandalous tale of unprotected, anonymous sex with as many partners as possible.
Your companion on every step of the digital trail
In the (limited) example above, we learned we share of private data with many more organizations than we might have thought. When we share our data, we trust those organizations to use our private information for lawful purposes and deliver what they promised us. Trust is the key word. Let’s ask ourselves some questions:
- Do I trust Amazon to send me advertising? Probably, yes. That’s what I signed up for when I bought the device, and even if I don’t think about it much, I know that’s part of the deal. But do I also trust Amazon with my sleep schedule?
- Do I trust my employer with my email habits, arrival/departure times, web browsing history, and credit card expenses? Yes, I suppose I need to. Those are conditions of employment, and they seem reasonable. But do I trust them not to share my dietary choices during lunch with my healthcare insurer?
- Do I trust Google (and Starbucks) with my financial information? They aren’t banks, although we often treat them like one.
- Do I trust Facebook (and Toyota) not to share private social media posts with law enforcement? How well do you know what is “legal” where you live?
Those are hard questions with few easy answers.
For one day, I invite you to write down each time you leave a “digital footprint” – as well as the organization(s) you are trusting with that information. If your situation is anything like the hypothetical example above, you might be surprised how many organizations you’re trusting to protect your interests.
Perhaps you cringed if you wrote down “Yahoo” or “Target” or “The Home Depot.” Here’s the other time people tend to think about organizational data practices: After a breach.
How many millions of Yahoo email addresses (and passwords) were stolen? What about Target? Home Depot? Data breaches have become so common that they blend into the background. Unless your personal financial data was stolen and you were the victim of identity theft, data privacy is sort of like life insurance: You don’t want to think about it, and you sure hope you don’t need to use it.
But unless you are one of the few people who work in the “information” industry (IT analysts, server administrators, data scientists, basically all of modern marketing, etc.) you need to admit that you don’t know how organizations handle your data. You may have suspicions – you may even be a bit jaded – but you don’t have hard facts to answer for yourself if those organizations deserve your trust.
That’s about to change.
The era of data privacy ignorance is over, and we have GDPR to thank for it. After I’m done helping you understand the European regulation, and what we’ve learned in the past seven (or so) months, you may not sleep as well.
Or to use continue my crude analogy of data hygiene habits from earlier in the piece, you may start to use “protection.”
Now more than ever, it’s important that all of us understand what GDPR really is.
The most important consumer protection milestone since Ralph Nadar’s 1965 auto industry exposé Unsafe At Any Speed came and went without much fanfare on May 25, 2018.
The formal name in the European Union is the General Data Protection Regulation, but it’s most commonly known as GDPR. Yes, it generated a blip of attention across the pond, but as with most things that aren’t born in the United States, Americans didn’t pay much attention. Nor did the rest of the world. Thousands of organizations, including Google, Facebook, Amazon, and Apple, all updated their privacy policies. Most of us simply clicked “accept.”
That was a mistake.
Without diving into the bureaucratic language, GDPR is a set of privacy protections for EU citizens. But it’s much more than that. GDPR is a new set of property rights—rights over the data created by all people as they walk through their digital lives: purchase records, locations they visit, surveillance of them, everything.
Specifically, GDPR guarantees:
- the right to access your personal data (companies cannot hide it from you);
- the right to own your personal data (you can request it, a processed called “rectification” … and then take it to some other provider);
- the right to restrict how your data may be used, and most importantly,
- the right to be forgotten (you can ask to be purged from the data gatherer’s records).
GDPR says that you are more than a collection of data.
GDPR is no less than a statement of basic human dignity.
There’s more to it than that, and the more you learn about the specifics, the easier it is to get lost in the technicalities. For our purposes, let’s see how GDPR works in practice.
Suppose you’re interested in a London production of Hamilton, and purchase tickets online from the theater’s website. On the day of the event, you leave your hotel (that you also booked online) and ride an Uber to the theater. Along the way, you are captured on no fewer than three surveillance cameras in the theater complex. You purchase a drink with your credit card, watch the show, and head back to the hotel after a thrilling performance.
If you had done that in New York, as an American citizen, you’ve given no fewer than five organizations (the hotel, Uber, the theater, the concession vendor, and the credit card company) your private information. They can use it, into perpetuity, for whatever purpose they like—usually to remarket other goods and services to you.
(Have you ever escaped one of these mailing lists? I thought not.)
But under GDPR, Londoners have a choice. With one email to each vendor, they can ask to purge all of that data. It would be as if they never attended the show. I’m oversimplifying, of course, especially as it relates to the financial transactions, but let’s pause to think about what a massive change this is. For the first time since the beginning of the internet and the creation of your digital footprint, EU citizens (and to an extent, anyone an EU-based organization touches) have control over a new type of property—their data. Organizations and marketers now must inform them, respect their rights, and up their game if they want the right to use that asset. And because EU citizens cross borders, and because the EU will take action against violators outside its borders, global organizations are forced to comply. In other words, London citizens can ask the New York vendors to purge their data, and those US-based companies will need to oblige them.
(As an aside, I find it ironic that a Brit has more freedom regarding their data than an American going to see a play about a key figure in the American Revolutionary War. But I digress.)
Up to this point, privacy and “data ownership” has been a one-sided battle. Your data freedoms are what data gatherers decide they are. The EU just gave its citizens the data equivalent of the Magna Carta.
What does GDPR tell us about how well organizations handle our data?
Until GDPR passed, we didn’t really know how well organizations handled private data, we could only guess. Now that we can get hard data, I think it’s fair to ask ourselves how well have EU (and global) organizations implemented the changes in data practices and transparency at the heart of GDPR?
Here is the simple answer: Not well.
(Fair warning: What follows is about to get wonky. I’ll do my best John Oliver impression to make what follows interesting and relevant to all of us. But I don’t have a team of joke writers and graphic artists. You’ll have to make do.)
Let’s talk first about compliance. One of the primary enforcement vehicles you have (and by “you” I mean EU citizens) is what’s called a “Subject Action Request,” or SAR, for short. Basically, it says that you can request that any organization holding your data return it to you within 30 days after they receive your formal request. That process for making that request must be easy to find on your website and easy to complete.
Because of that formal process, journalists have been able to test the process. Researchers have been able to collect sufficient quantitative data. In other words, we’re not guessing any longer.
According to one study completed by 451 Research:
- Only 35% of EU-based companies complied to SARs within the 30-day timeline (Here’s a handy tip: when you look at percentages, always read them the opposite way they are stated. You’ll likely learn something interesting. When we do it here, this means a majority of companies, some 65%, did not comply within 30 days.)
- About 50% of non-EU based companies complied on the same test (Really? I wouldn’t have guessed that. I love it when research surprises me.)
- Retailers perform the worst; 76% failed the test (Remember our opposite trick? Only one in four retailers takes respecting your privacy seriously enough to comply with the law.)
- Financial service firms are some of the best; “only” 50% failed (I worked for a bank; those folks are wound tight. But remember, the “best” is still a failure rate equal to a random coin flip.)
- The National Pharmacy Association (UK) found a huge spike in patient data breaches after GDPR implementation. In fact, one of the largest fines levied against a GDPR violator was the Portuguese hospital Centro Hospitalar Barreiro Montijo (CHBM). In two separate violations, regulators assessed €400,000 in fines. Financial identity theft will be nothing compared with genetic identity theft. I’d think twice (or three, or four times) about sending away for one of those genetic tests.
Their research also found that while these organizations generally understand the impact and need for GDPR, actual compliance rates are a better measure of leadership priorities. In other words, believe what they do, not what they say. From the basic statistics above, it should come as no surprise that most global firms would fail a GDPR audit.
Let’s make the point simpler: When you interact with most organizations through the course of your day, they are demonstrably not committed to your privacy. They are committed to their goals.
Hey wait! That’s not fair!
Large organizations are quick to point out that given the amount of data created compared to the number of violations that occur, they are doing quite well handling your data.
It’s a “reasonable” point of view.
Let’s run a simple thought experiment using our hypothetical person as a guide. This person created a sample of 12 “steps” in a digital “footprint” throughout the day. (The actual number could be much higher, but let’s keep the number conservative.) On planet Earth today, there live roughly 7 billion people, about half of which lead “digital” lives. Let’s use another conservative number – 3 billion digitally-connected people – and multiply that by the 12 data points in each person’s digital footprint. That’s 36 billion data points per day, or over 13 trillion data points in a given year. That’s not the real number, of course (the real one is much higher), but it illustrates the scale of the data management challenge.
If you consider the number of “mistakes” (breaches, mishandling of data, improper access, etc.) divided against the total number of data points, the proportion of privacy violations is vanishingly small. More than that, they argue that given enough time, organizations will adjust to the new reality of GDPR (at least in the EU), and these incidents will become even less common. C’mon. It’s only been seven months. They’ll get better, right?
I’m suspicious for three reasons.
- First, it’s not as if GDPR emerged from nowhere. Global organizations had months to prepare for the law’s passage. Since May 2018, they have had more than six months to make adjustments.
- Second, the breaches reported are only the breaches we see, not all the breaches there are. Ask any security expert, and they will tell you that the average consumer doesn’t see most of what happens. That’s by design (it’s embarrassing) and by fatigue (if they told you everything in technical detail, you’d stop listening).
- Third, large organizational data “scientists” misunderstand the perception of risks involved. To them, an error rate of 0.0001% is so small as to be insignificant. They call people who worry about breaches “foolish” and “irrational,” rolling their eyes at the tiny chance something might happen as a result of a breach. I would argue there is nothing irrational about fearing an outcome that may be unlikely, but would be catastrophic if it were to occur. Identity theft (and genetic theft) both fall into that category. (For more, I would encourage those “scientists” to reread The Black Swan and anything by Kahneman and Tversky.)
People worried about privacy breaches are not irrational, but we are being taken for fools.
How to not be a taken for a fool (anymore).
If you are a modern individual, taking advantage of the bounty of technological wonders that make your life easier, your privacy is an illusion. All of your data is available. You gave it away (in most cases, for free). You are relying on the good intentions of these organizations not to take advantage of you. You’re also relying on those same organizations to protect that data from others with lesser intentions. They are clearly failing. We are clearly fools.
If the results of GDPR audits are any indication, you may not have much time to make changes in your “data hygiene” before you begin to experience negative consequences of a hack or other intrusion. Every time you engage in digital behavior, you’re rolling the dice. Snake eyes might be rare, but they happen. But it’s not realistic for most of us to go “off the grid” and completely sever our ties to the digital world.
We need a realistic answer, and we have one: Decentralization.
The saving grace (for those of us outside China and a few other countries) is that no one organization has more than a sliver of your data. Amazon may have some purchase history, but not all of it. Apple may have information about your app use. Netflix understands your television habits. Your health clinic has some biological data. Google knows where you’ve (physically) been. Toyota knows how you drive. You can’t hide your “adult movie” habit from Firefox.
Many of these organizations wish you would centralize more of your activities. They receive a “greater share of wallet” from each consumer. You (presumably) receive greater incentives and benefits. It’s like the practice of insurance bundling on steroids. But I think you now can see the risks of having all your digital eggs in one basket.
The privacy of any one aspect of your life might be a myth, but only you know the entire picture. Let’s explore some practical steps you can take to keep it that way:
- Take steps to keep your digital life compartmentalized. If you use an Apple phone, use a Google web browser. Don’t store your health records on your Android phone. Don’t share browser data between devices.
- Don’t use single login services (such as “login with Facebook”). Yes, it’s easier. And yes, you created a backdoor for Facebook … as well as anyone who hacks your account.
- Take extreme care before sending away for a genetic test from anyone other than a large, established, medical institution. And if you do, pick one that is not your primary clinic.
- Learn how to turn off location services, facial recognition, and listening services (Alexa, Siri, Cortana, etc.) when they are not in use.
- Split your financial life into more than one institution. For example, don’t use a credit card from the same bank the holds your checking account.
- If you live in the European Union, learn how to file a GDPR request. Here’s a link with some tips.
It seems to me organizations are in a precarious position. If they come clean with their data management practices (and show their warts), they risk a negative perception in the marketplace versus those organizations who choose to be less transparent. But those who choose to be opaque risk catastrophic breaches of trust when the inevitable occurs. It’s a lose-lose.
That’s why I am tempted to advocate for a wider adoption of GDPR-style legislation, worldwide, to level the playing field. In lieu of that, I think there is a market opportunity for white hat hackers to expose privacy violations and issue “trust ratings” alongside “consumer ratings” on every website. (Will organizations pay for that? If they’re doing well, yeah, probably.)
Until that day comes, it may seem like these efforts are an extreme form of paranoia, but for anyone who has suffered identity theft, they are sensible and reasonable. Think of decentralization the same way submarine designers think about sealable bulkheads. If one compartment springs a leak, it doesn’t sink the entire ship.
But more to the point, because you are the only one who holds all the cards, you have power. No “one” can be trusted with your all of your data, but perhaps “every” one can be trusted with just a little of your data – at least until we have better safeguards.
A special note: Lorenza Maria Villa, an Italy-based GDPR Consultant & Data Protection Officer, was kind enough to review a draft of this article and provide feedback. I am in her debt. Grazie!
About Jason Voiovich
Jason’s arrival in marketing was doomed from birth. He was born into a family of artists, immigrants, and entrepreneurs. Frankly, it’s lucky he didn’t end up as a circus performer. He’s sure he would have fallen off the tightrope by now. His father was an advertising creative director. One grandfather manufactured the first disposable coffee filters in pre-Castro Cuba. Another grandfather invented the bazooka. Yet another invented Neapolitan ice cream (really!). He was destined to advertise the first disposable ice cream grenade launcher. But the ice cream just kept melting!
He took bizarre ideas like these into the University of Wisconsin, the University of Minnesota, and MIT’s Sloan School of Management. It should surprise no one that they are all embarrassed to have let him in.
These days, instead of trying to invent novelty snack dispensers, Jason has dedicated his career to finding marketing’s north star, refocusing it on building healthy relationships between consumers and businesses, between patients and clinicians, and between citizens and organizations. That’s a tall order in a data-driven world. But it’s crucial, and here’s why: As technology advances, it becomes ordinary and expected. As relationships and trust expand, they become stronger and more resilient. Our next great leaps forward are just as likely to come from advances in humanity as they are advances in technology.
If you care about that mission as well, he invites you to connect with him on LinkedIn. If you’re interested in sharing your research, please take the extra step and reach out to him personally at jasonvoiovich (at) gmail (dot) com. For even more, please visit his blog at https://jasontvoiovich.com/ and sign up for his mailing list for original research, book news, & fresh insights.
Thank you! Gracias! 谢谢!
Your fellow human.
Source notes for this article:
IT Pro (UK)
I’ve embedded most of the links in the article itself, but I found myself continually referring to this UK site for a comprehensive run-down of GDPR news. If you’re an IT professional, I’d keep a close eye on their aggregation. They provide helpful links to the original reporting as well as concise summaries of the implications.
Let me put it a different way: Because the “carrots” aren’t working, the EU is bringing out the data privacy “sticks.” That means violators are getting fined. Don’t think you’ll get found out? Well, tell that to the lawyers teaming up with artificial intelligence software to develop automated scanners of privacy policies on your website. I would bet money the nastygrams are on their way.
If you’re a consumer, IT Pro will give you a sense for what’s going on in non-technical language. Fair warning: You may not like it.