Understanding the true nature of data and the rights of its subject

(Second in a series of three articles about the changing nature of data strategy for businesses. Excerpted from Data Leverage: Unlocking the Surprising Growth Potential of Data Partnerships by Christian J. Ward and James J. Ward. The first article can be viewed here. Reprinted with the authors’ permission.)

What is data?

You may think you know what data is, but before you plunge ahead, let’s examine that understanding, why data merits protection, who regulates it, and what you can do to strike the appropriate balance between privacy and profitability.

We admit that we’re nerds. That means our obsession with data, information, strategy and law come together in a coherent bundle of geeky energy that we put to use for our clients. It also means we have a perspective on things that others typically do not share.

For example, we were recently discussing a document from CNIL, the French Data Protection Authority, and remembered that, in French, the word data translates to les données, which is the plural of the word donné, which means “given.” In fact, virtually every version of the word for data in European-based language revolves around that same concept: “this piece of information is what was given.” The Latin datum means “having been given.”

This is probably not how you think about data. For most of us, data just means information and, more specifically, electronically stored information. But all data is, in some sense, “given.”

While not all data is about a person (weather data, for example, is not), the data that is most useful for partnerships typically will, in some way, relate back to a person. The weather data may help you predict purchasing habits for people, or the most efficient shipping method to reach an individual. So, while not all data is directly about individual persons, it is very common for all data to relate to, connect with, drive marketing to, or interact with an individual person.

Once you understand that all data is “given,” it begs the question “who gave it?” In the midst of a data inventory or audit, it is very easy to think of the data as almost having created itself, or to see it as a dehumanized set of information that comes “from the internet.”

But that’s not correct, of course. An individual person is the ultimate source of most of this information. Data itself, as mere information, has no rights, and our approach to the ethics of its use are going to depend substantially on the choices of the company processing it. But there are risks and benefits to dehumanizing, as opposed to humanizing, data.

The dehumanizing approach is the standard view in the United States. Data, unless otherwise required by law, is basically usable for any lawful purpose. You can’t fabricate it and you can’t lie about what you do with it, but as long as you got the data through legal means, it’s yours to make use of.

This structure has more or less facilitated the growth of Big Data, mass analytics, and algorithms so sophisticated they somehow know that you prefer Jimmy Cliff’s version of “I Can See Clearly Now” to the more popular Johnny Nash rendition. Companies can dissect the data in the dehumanized approach in all its forms and endlessly repurpose it, creating new forms of value and new methods for reaching customers and growing business. The dehumanized approach is also a source of great stress for those same customers, and as a result, has caught the attention of regulators and politicians.

The humanized approach, by contrast, forces companies to recognize that a subject of data is a person with autonomy and rights. In Europe, data subjects have a fundamental right to their privacy, and that is why understanding the humanized approach to data is so essential. If you don’t understand that the European General Data Protection Regulation (GDPR) is really about a completely different perspective on data, you’re going to have a vastly more difficult time complying with it.

For the European Union and for its Data Protection Authorities (DPAs), data is an extension of an individual, another aspect to their personhood. Yes, a person may have voluntarily given their data to a company to use, but that data will always belong to them because it is part of who they are.

Because this is the approach European regulators take, it is essential to understand the regulation; taking a “check the box” approach to the GDPR, or any other privacy regulation, isn’t necessarily going to be enough.Think about what Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, tweeted on April 9, 2018, about Facebook after the Cambridge Analytica scandal broke: “We will observe with great interest how the letter — and the spirit — of the law are applied.”

An American observer could be forgiven for saying, “Wait, what?” Complying with the letter of the law is one thing, but what’s the spirit of the GDPR? Well, now you have your answer: the humanized approach.

With that in mind, you can see opportunities for US companies, and not just risk. It’s clear that simply following pre-GDPR methods and practices will no longer suffice, and that we need to change our minds and change our approach to how we handle data. If nothing else, the torrent of data breach announcements each week should prove that. But you also can’t try to run a business as if you were a regulator, because regulators aren’t interested in profit.

There is a third way, a balance between the value of data and the rights of the data subject, which is a delicate balancing act. It requires an ongoing focus on how your business gathers and uses data, and how it interacts with the people who provide it. Your company’s third way will never match anyone else’s, because just as each datum is totally unique and data is universal, each business is trying to achieve success in its own way.

(In the next installment of this series: “Introducing the data protection officer.”)


Christian J. Ward


James J. Ward