Modern technologies for business

The Unbearable Lightness of Data/The Unbearable Heaviness of Data Protection

Why does Cristiano Ronaldo earn 100 times more than a neurosurgeon? Is it because his footballing skills are that many times harder to master than a neurosurgeon’s? Or that I get 100 times more happiness, well-being or value from him than I do from a neurosurgeon? No. It is primarily because one person (and their loved ones) get the value from a couple of hours of a neurosurgeon’s time, whereas a billion people can enjoy watching Ronaldo’s silky football skills during a game, and indeed they can continue to enjoy them many times over, forever. The Ronaldo experience is scalable; the neurosurgeon experience is not.

This story essentially boils down to the lightness of data. Data can be created, stored and transmitted at very, very small cost compared to the value it can create. So any business that boils down to information is potentially massively scalable and hence profitable. That is why we see the surprising valuations of Airbnb vs. conventional hotel groups, etc.

What is the rational response of any company to this? Clearly, it is to work out how they can ‘informationize’ their business model. Gather as much data as possible. Look for ways to monetize it, both to make their existing business profitable, and maybe to create new lines of business from the data. Regarding consumer/citizen data – the more the better.

On a philosophical note, I would suggest that this asymmetry between physical businesses and informational businesses is actually causing free market economics to break, or at least to creak at the seams. (That is why I borrowed the ‘unbearable lightness’ meme from Milan Kundera.)

But on a more practical and immediate note, the incentive has been for all of us to become data hoarders. We have acted as if all data is good data to keep, even if we are not quite sure how we will use it. The only slight incentive in the other direction is data protection and privacy – making sure we don’t use data in inappropriate ways or let it leak to evil-doers.

There is considerable concern that many companies might well not be ready when GDPR comes into force
Enter GDPR, the data protection directive that comes into force on 25 May 2018, and applies to anyone doing business in the European Union, or with citizens of the EU. And perhaps more importantly, the high-water mark for data protection that Canada and others are following, which is widely believed to be the template for global data protection standards.

If I were to translate GDPR into a short summary of sentiment, I would describe it as “Right. That’s it. No more Mr Nice Guy.” GDPR attempts to protect individuals’ rights very thoroughly, in terms of their right to know what you know about them, to be forgotten, and to be informed when you have a breach that affects them. And all of this has to be prompt. The penalties for violating these rules are very severe, reaching up to €20 million or 4 percent of the violator’s global group revenues. The rules are also designed to make sure companies cannot delegate responsibility to other companies processing their data. The buck stops with you, whoever is doing the processing for you.

Suddenly, data doesn’t feel so unbearably light any more – in fact, GDPR makes data feel rather heavy and expensive. Companies and government agencies have to make smart decisions about what data they want and need to hold, and have a very good handle on where it all is, in case a request for information or erasure comes in, or indeed a cyber-security breach. My colleague Mike Bufalino will be writing about GDPR in more detail as part of our soon-to-be-published report on cyber risk for the board, but suffice it to say that there is considerable concern that many companies might well not be ready when GDPR comes into force in May 2018.

The upside of compliance with GDPR means that a company must have a very good handle on all data related to each individual customer. Achieving this may well create a more sophisticated understanding of the customer, and uncover additional business opportunities.

Although this certainly isn’t a CIO/IT-only issue, we would expect every CIO, as a digital leader of the business, to be getting ahead of this issue, and helping their colleagues in the C-suite make smart decisions around their approaches to data and data protection.

 This post first appeared on Leading Edge Forum in May 2017.

Dave Aron

Author: Dave Aron

Dave Aron, based in the UK, is Global Research Director for Leading Edge Forum.  In this position, he guides a series of global research initiatives aimed at helping CIOs and other Business/ IT leaders reimagine their organizations and leadership for a tech-driven future.

Dave’s key areas of research include digital business, strategy and new business models.  Previously, Dave spent more than 12 years at Gartner, as a Gartner Fellow, focusing on strategy and CIO leadership issues.  Dave has more than 30 years’ experience in the IT business and has been writing, speaking and teaching on digital business, IT strategy and other topics around the world for more than a decade.

Dave holds a BSc in Computer Science from Queen Mary College, and an MBA from London Business School.

Dave’s alter ego is Mu, The 21st Century Anti-Strategist, which comprises Dave’s distilled thoughts about what doesn’t make sense as 20th century organizations sleepwalk into the 21st century.