The story of data, Part 3: Who owns it?
Most marketers say that while consumers are the true owners of their own data, data controllers are responsible for its stewardship once it's shared
In earlier installments of our story of data, we’ve established that we’re now awash in personal data. Wallowing in it. In this, our third installment, we’ll talk about who owns it.
Seems like a no-brainer: People own their own personal data. Or do they? Once a person shares their data, ownership becomes much murkier.
And with the General Data Protection Regulation (GDPR) coming into full force on May 25, 2018, guaranteeing residents of the European Union (EU) additional rights to their data, the issue becomes even more complicated.
Mike Dougherty, chief executive officer of programmatic radio ad platform Jelli, says that each person owns their own data, most of the time.
“Under GDPR law, the individual owns the rights to their data, with a few exceptions,” Dougherty said. “They ultimately have the final say, not the company that possesses it — whether obtained through consent or not.”
Julia Stead, vice president of marketing at call analytics company Invoca, says it is the consumer. Probably.
“Data giants like Google and Facebook are very careful to avoid mentioning ownership in their data collection policies, they focus on collecting and storing user data,” Stead said. “I think it’s really the individual consumer that owns the data. To a certain degree, consumers can choose what data to share and what data to keep private.”
Once a consumer shares data, is the genie out of the bottle?
Dougherty says that it might not be reasonable to expect companies to fully comply with GDPR’s Article 17 giving them the right to erasure, which means exactly what it sounds like — full deletion of personal data.
“It’s GDPR articles like the ‘right to erasure’ that make this matter extremely complex,” Dougherty said. “There is so much room for conflict between the requirements and exceptions that it will be a daunting task for any company to adequately assess data. To comply, companies will have to make determinations on a case-by-case basis. Problem is smaller organizations — ad tech companies, publishers — stand to lose because they lack the resources to comply at this granular level.”
Travis Ruff, chief information security officer at Amperity, says he expects that Article 17 will force companies to justify why they might keep data that users want erased.
“I think that the ‘right to be forgotten’ is where most companies will be spending their time once they have the basic policies and processes in place for GDPR,” Ruff said. “It is important to acknowledge that the authors of GDPR realized this potential conflict and do not put any organization in a position of having to choose between which law or regulation they will be compliant with. However, what GDPR does do is put organizations in a position of having to justify why they keep data that would otherwise not be allowed, ensure they document the analysis and have a defensible position. Unfortunately, until we get some actual case history built, no one will have a clear answer as to whether that justification is sufficient.”
Who owns data within the companies that are collecting and processing it?
While GDPR wants consumers to know it has their backs in terms of their data, it also acknowledges that once a consumer shares that data, other entities must take responsibility for it.
Most marketers I spoke to said that companies are merely stewards of the data and that the data subjects maintain ownership throughout.
Pamela Dingle, principal technical architect at Ping Identity, explained.
“Legislation like the European GDPR attempts to answer this question, as it’s very clear about who owns the data: the person the data represents,” Dingle said. “The business that collects the data must act as a steward of this data, but in reality, there is no ownership of personal information.”
Peter Yeung, general counsel and vice president at Episerver, says it can be confusing.
“The confusion over who’s responsible for user data under GDPR is a result of the often disjointed nature of this data,” Yeung said. “Much like users’ data, the liability for GDPR is distributed across brands (acting as data controllers) and vendors (acting as data processors). Strictly speaking, the brand ‘owns’ the data and is responsible for gaining consent (or justifying such data under legitimate interest or contractual obligations), even if it’s transmitted, managed, stored or accessed through processors, sub-processors or another data controller. However, anyone who has a hand in user data in any way has a responsibility for ensuring compliance.”
Ultimately, Yeung says, it’s up to the controllers and processors to follow the brand’s lead.
“While brands must focus on implementing and maintaining a strict data governance policy as data controllers, data processors (such as CRM or CMS platforms) and third-party sub-processors must support brands’ data governance policies by providing capabilities for personal data portability, personal data retention and personal data destruction on behalf of the brands they work with. Further, they have to be able to support brands in their data privacy impact assessments (DPIAs) and maintain their own records and activity logs,” Yeung said.
Rob Glickman, chief marketing officer at data platform Treasure Data, says that since the controller assumes the risk, it owns the data.
The initial answer [to the question of who owns data] is that the data controller carries the risk,” Glickman said. “The processor must handle data securely and, if there is a breach, notify the controller as soon as a problem has been detected. But it’s the controller that is legally responsible. Consequently, the entity that is collecting and using the data must have proper protections in place for its own operations, as well as being sure that the processors they partner with – and, by extension, those they do business with – also have air-tight procedures in place. Remember, each party involved with the data represents a potential point of failure — and thus, culpability — for the data collector.”
But ultimately, it is the consumer that owns the data, Glickman said.
“Having said this, it’s worth noting that in 2018, privacy and trust have become paramount concerns,” Glickman said. “Therefore, the REAL answer to who owns data is actually ‘neither’ the controller or the processor. It’s the ‘data subject,’ or individual, who owns the data. This emerging reality is going to cause a tectonic shift in the way both processors and controllers need to think about how data is managed from this point forward. Data is now transactional and marketing companies must react accordingly so that individuals have the control they demand and deserve.”
Still, there’s no consensus
Abhi Yadav, founder and CEO of customer data platform ZyloTech, says “it’s complicated.”
“Each department in any given company is trying to control as much data as possible; whoever knows the most about the customer has the upper hand,” Yadav explained. “However, with all the marketing and advertising noise in the world, customers are facing more and more marketing fatigue. Despite natural competition between departments, a company as a whole will be better off if they work together to combine their data.”
Mike Herrick, senior vice president of product and engineering at engagement solution Urban Airship, says it depends.
“Your answer to ‘who owns the data?’ likely depends on which side of the pond you hail from,” Herrick said. “The US has a more commercial stance, whereas the EU is more consumer-centric. I think ideologically we can all agree that the customer should own the data and the businesses they choose to interact and share their information with are its stewards. There is more onus than ever for businesses to protect and appropriately use this information, especially offering individualized value, utility and convenience. Without that, you won’t get it in the first place.”
And Karl van den Bergh, chief marketing officer at DataStax, says we’re asking the wrong question.
“At DataStax, we believe that the issue is less about who ‘owns’ data and more about who is the custodian or caretaker of customers’ data,” van den Bergh said. “Ultimately, we think the best data custodians are the enterprises who serve their customers — not middlemen, market research firms or infrastructure providers. In other words, just because a company relies on a public cloud to house its data or a third-party researcher to collect or aggregate it, those middlemen are not the data custodians of either specific data or data anonymized in aggregate across a variety of other companies. We call this ‘data autonomy’ and believe it is a linchpin of the right-now economy and something every right-now enterprise must expect, demand and vigorously defend.”
Maybe asking who owns the data isn’t the right question. Maybe we should be asking who has the right to it. GDPR’s data protection rules make it clear that, at least for European citizens, individuals will have a right to access, move or even delete their data from whoever collected it. Time will tell if that’s even feasible and what that means for the rest of the world.
Here are links to the entire The Story of Data series: