2016 will go down in history as deeply troubling from the data handling perspective. While businesses struggle to deal with huge volumes of data there is much they can learn from an industry that deals with forests of its own – paper. Just as the sustainability of forests need global commitments to ‘chain of custody’, so does our personal data.

An example: activity-based life insurance

To illustrate the point, many will be aware of the latest hugely successful activity-based life insurance schemes like Vitality. Such schemes are motivational and ultimately very good value for money. In a nutshell, your physical activity is reported to their servers that then award discounts in-kind. To automate the process, several devices and wearables are supported including Apple watch, Garmin, Fitbit and Polar. It’s a simple matter of linking the accounts. And points make…prizes.

Innocuous or misleading?

One is obliged to agree to relatively innocuous privacy terms before sharing one’s critically sensitive data. An excerpt as follows:

Who we may share data with:

We may disclose data to other parties, which could include (but is not restricted to) our business associates, agents and service provider.....

Data may be processed by service providers in a country outside the European Economic Area, which may not have the same standard of data protection as in the UK. We will ensure appropriate safeguards are in place to protect any data.

Despite an official UK business address a quick IP lookup shows the processing web service as being in South Africa. It turns out the entire operation is a third-party contractor based in Johannesburg and there is no service provider at all in the European Economic Area. From the initial point of engagement, the entire process, involving transferring the most intimate and personal data of all; personal health, location and heart rate, is being exported and processed beyond direct UK or EU purview. There was clearly never any other intention. Worried about where all that data will end up? One is left to rely on their interpretation of what they consider to be ‘appropriate safeguards’? Why say ‘Data may be processed’? Why not just say ‘Data will be processed in South Africa’?

Regulation is not enough

Chapter V of the GDPR (General Data Protection Regulation) is devoted to the export of personal data and allows it to be transferred if the commission deems the recipient’s level of protection adequate. (Interestingly the ICO uses activity-based insurance as it's working example). Indeed, South Africa has its own legislative framework - POPI that may be deemed as such. In any event it is still unclear what areas of GDPR, due to be invoked in 2018 will be applied in the UK post-Brexit. Until then we have the Data Protection Act. A separate discussion for another time.

Compliance with GDPR/DPA is not the point though. Whilst lawful, this lackadaisical and even misleading attitude to customer’s critical data and it’s ‘chain of custody’ is wholly unacceptable. Regulation is not enough. Customers themselves need to take a clear active role in moulding service providers’ attitudes with their wallets.

Learning Lessons from the Forestry Council

The paper industry has already implemented a similar initiative. The Forest Stewardship Council, FSC runs a global forest certification system to assure every touch point in the supply chain complies with their standards. They call it ‘chain-of-custody’. Just about every reputable mill, merchant and reseller has had to go through the same approval process. In this way, the end customer is assured paper carrying the FSC stamp is environmentally friendly and of the stated quality.

Of course, it would be easier and cheaper for paper suppliers to make misleading statements in their terms and conditions, about how much they care for the environment and have taken ‘adequate measures’ to promote forest sustainability. The reason FSC has worked is because customers are stipulating compliance within their purchasing requirements. Buyer pressure is forcing paper suppliers to, or at the very least appear to be ‘doing the right thing’. Collective responsibility for quality and environmental care has made FSC paper the ‘healthy option’, helping it to escape the negative association with ruining the world’s natural resources.

A shining example

Charities are one sector firmly under the data spotlight, hopefully becoming the shining example they always should have been. The RSPCA and British Heart Foundation are the latest to be fined under the Data Protection Act for sharing the private records of 7 and 5 million donors respectively. We should not forget they were initially shoved into action by the public outrage following the tragic death of Olive Cooke in May 2015 and the subsequent FRSB report. Since then, charities seem to have finally realised that a key requirement of successful donor engagement is to demonstrate a commitment to an ethical approach to donor data, beyond the letter of the law.

Why should I care?

Whether it be apathy or ignorance, most consumers are blissfully unaware of the risks associated with the wholesale exploitation of their personal financial and health data, with or without their permission. Not caring implies that one's doesn't mind if one's identity is stolen, email's read, bank accounts accessed and so on. The lazy answer: ‘Why should I care? I have nothing to hide’ is simply not good enough.

But the fundamental obstacle to data transparency is that service providers have no buyer demand beyond legislative control. Consequently, all that will transpire is ever complicated nuanced legalese without any significant change in behaviour. For change to occur on a grand scale, brands need to realise a commitment to the data ‘chain-of-custody’ is a key differentiator and is good for business. For that to happen customers need to be educated to make their purchasing decisions. As a start, they must escape the general malaise of apathy.

After the exposure of one data fiasco after another in 2016 ; Yahoo, TalkTalk, SWIFT financial and even Domino’s Pizza to name a few, 2017 must surely be the year when customers take a greater interest in what happens to their information ‘downstream’. As for brands and service providers, resorting to sneakily worded legalese is all rather….2016.