The missing link in personal data

Author: Alan Mitchell, Chairman of Mydex CIC

In this Comment piece, as part of the Observatory's Data Fortnight, Alan Mitchell, the Chairman of Mydex, argues that despite scandals like Cambridge Analytica, the biggest problem - and opportunity - in today’s personal data landscape doesn’t lie in things that are happening but shouldn’t. It lies in things that aren’t happening but should: like individuals being empowered with their own data.

If anyone needed convincing that today’s digital economy needs radical reform the Cambridge Analytica/Facebook scandal should end the debate. Quizzes as fronts for data harvesting, the gaming of consent, devious methods used to pursue toxic purposes - all operating at scale. Something drastic needs to be done.


Yet there’s danger in knee-jerk reactions. Even if policy makers and regulators acted robustly and decisively to make sure Cambridge Analytica-style scandals never happen again (as they should) we would hardly touch the biggest, deepest and most intractable issues now facing the emerging data economy.

Stepping back to view the data landscape in perspective, we can see three categories of problem that now need addressing.

Category 1 is made up of multiple, separate specific problems such as the dangers of unfair and discriminatory outcomes of algorithm-driven automated decisioning systems. Each one needs its own specific, bespoke solutions.

Category 2 is the need to end the Wild West era of collection and use of personal data: the systemic abuses, invasions of privacy, excessive monetisation and straightforward corruption that characterise today’s ad-tech industry. GDPR is part of this but only a part. Regulators need to enforce the regulations too.

Then there is Category 3: big, deep issues about value and structure that hardly anyone is talking about, but should be.

Let’s take value first.

Where does the value of personal data come from? Sounds like a silly question? Perhaps but too many people have got it wrong. Whether in businesses, policy making or privacy activism many people today believe that personal data is valuable because it is a commodity that can be rented and sold, mainly for the purposes of marketing and advertising.

In fact, this is just a small subset of the main uses of personal data which revolve around service providers in every sector (health, financial services, travel, retail and so on) using data to do admin, organise and orchestrate service delivery, match users to services, monitor and respond to changes as they happen, gain new insights and streamline decision-making. In other words, across the economy as a whole, the value of data comes from its utility: its ability to enrich services outcomes while removing friction, risk and cost.

To build trust around such data use we need to move beyond the barrier of ‘consent’. Mechanisms of consent simply impose an unwelcome, extra burden of work on individual's and are routinely gamed. And they shift the onus of responsibility of how the data is used on to them. Bona fide organisations genuinely wishing to use data to build trust and add customer value should adopt the principles and policies of Safe By Default. Individuals should just know that their data is safe, without having to read or agree to reams of terms, conditions and privacy notices. By safe, I mean: only the data needed to provide the service is collected and stored; it is not used for any other purposes and not shared with any other parties. All this should be easily provable and transparent.

The simple promises of Safe By Default (widely and honestly applied) are all that’s needed for trust to be rebuilt and for data’s real economic value to be unleashed by organisations. But left alone, it is not enough. Because it misses the other half of the data coin.

Right now, the potential utility of personal data is massively restricted, because only the large organisations that hold this data can use it. Individuals and households are effectively excluded. There are countless things that people do in their daily lives, such as managing pensions and money, organising provision of health and other services, or managing dealings with their suppliers - where they, too, would benefit from the utility value of their data. There are countless ways that personal data could be used to enhance, enrich and add convenience to peoples’ lives via services working for and using data for the individual.

But that’s not happening. The biggest scandal in data today is not what is happening but what is not happening: individuals not being able to realise the value of their own data for their own purposes.

This is a structural flaw at the heart of today’s data economy. Today’s structure is organisation-centric, with individuals’ data collected into large data silos by (mostly) large organisations. Each individual’s data is dispersed, out of their control, across multiple such silos.

This structure and architecture denies individuals the ability to easily collect, store and manage their own data under their own control. It denies them the ability to use their own data for their own purposes. It denies them value. It denies them agency.

For this structural and architectural flaw to be addressed every individual in the country (no, in the world) needs to be provided with their own personal data store where only they can see and manage their own data with automated services that help them manage their data in ways they can benefit from it.

Empowering individuals with their own data (alongside a Safe By Default approach to organisations using this data for service provision) would not only help re-balance what is currently an extremely unbalanced data ecosystem, it would do more to restore trust than anything else currently on the agenda - while helping unleash the full potential of data for citizens, society and the economy.