Andy: Tell me about your journey into the privacy space…
Gilbert: Like so many I got into privacy by mistake. I was running a London web agency called Governor Technology for almost ten years. At Governor Technology, brands came to us with ideas with new technology and we’d bring those ideas to life. We were a bit of a skunk works, because we were small and agile enough to pick up these new technologies. We then conducted research and development and then went back to the brands showing them that they could use the latest platforms at the time, such as the Windows phone, Xbox Connect and LinkedIn.
I remember when we became aware of the need for accessibility in terms of web design for the blind and partially sighted users. That caught us on the hop, because we were so busy building websites and trying to do our best in terms of security and getting them out of the door that we hadn’t thought about it. When we had these particular requirements from Microsoft the problem was that many of the existing sites that we were responsible for weren’t built for that accessibility in mind.
We actually saw that group of people, not only as a group with rights but also as a target market. It all made us more receptive down the line when we became aware for the need of data privacy especially with the advent of the UK Cookie Law. For us a cookie was simply a tool and snippet of code that we used to make the web work in terms of personalisation. It was more a lever for us to understand more about what cookies were being used for and to build up profiles of users and track them. Which we now know to be the multibillion dollar behavioural advertising industry.
So we needed to do the right thing, figure out how can you take a problem, turn it into an opportunity and add brand value. To that end we started to pivot the whole business with increasing awareness of privacy and regulation. We were increasingly informed by a desire to do the right thing.
It had also been very difficult to keep pace with other regulations. An example with the GDPR are articles of densely worded legal text. I found a really good way to get my head around it in terms of considering some actions for a client is just having a conversation. To think is that technologically possible? It’s currently legal under legislation or the GDPR to step back and say is it the right thing to do. I don’t think there has been enough of that privacy mindfulness. Plus not being a lawyer it starts to make more sense to me as a technologist but more importantly as a business person, parent, and a member of society.
Gilbert: It’s a fair observation. One of the inherent problems with the Cookie Law was the fact it was a directive. The central directive would be issued and then every country would pass its own law and interpret that. Each country would then have its wiggle room and in practice it was absolutely unmanageable if you were a big company as you’d have to implement a different solution for each of your markets. It’s also difficult to police something like that where you have a situation where a lot of companies were not aware or they thought it was simply enough to post up a basic disclosure.
Unlike the Cookie Law the GDPR is a regulation which meant it came and was enforced simultaneously across the whole of the European block. I got into the whole GDPR thing a few years ago when it used to be called EU-GDPR. It’s definitely become the gold standard, and even firms with an international presence see data as a risk to their global operations.
I used to work as an archaeologist and we’d talk about discovering hordes of iron artefacts and it’s similar in the modern world where we’ve all built up hordes of data. Data has come to be seen as an asset with huge valuations. What the GDPR addresses is that without a framework for discovering and managing the husbandry of that, data can mutate into a hazardous material.
Companies with exposure to different markets with lots of data want to keep a lid on that risk and take a pan-global approach. In the early days of the GDPR you’d hear about big fines. If you look at things like the recent British Airways (BA) breach and that’s the first under the new regime. Now back in the day BA could have been fined a maximum of five hundred thousand by the ICO. Now its four percent of global revenue. You’re now talking about five hundred million. Now those kind of things are bringing the issue of data privacy to the world.
Andy: How is the data space evolving?
Gilbert: We’ve had a huge pace of technological change resulting in the internet, connected devices and a huge data explosion. We’re sort of being passive in that we’re all being captured, trapped and monetised. Things like GDPR are the ultimate impact of regulatory change, and are more importantly increasing awareness. Citizens and consumers can now start to wield their newfound rights. This increase in awareness of the data trade off means we’re going to see people take back control of their data. People know data is being used as a weapon against them, things like the US election and Brexit. Data and privacy has now become politicised and I really never expected that to happen in the six years that I’ve been in the privacy space.
Andy: You talked before about the ‘weaponisation’ of data, what do you mean by that?
Gilbert: It is quite an emotive term but I think it sums up the unfairness of the odds stacked against people in terms of data privacy. And those businesses and SMEs that are in an environment where you’ve got a winner-takes-all situation like retail and online search.
Until now its not been possible to go against Google, normally because of the amounts of financial muscle and the amount of data that can be wielded. Also that they control the context as well. Its binary and highly contextual and nuance and data that we’re all fluffing off by wearing a Fitbit or going to a website or even walking into a shopping mall can be taken and used as a weapon against us out of context. It can be a scary thing so there’s a need for some framework for this ethical capture. I would like to see people get free services and value on the web.
Andy: What do you mean by data ethics as brand value?
Gilbert: It’s a bit like what I was talking about with accessibility and that privacy is in a similar position. You could be aware that privacy regulation and data protection has got to be the Cinderella of business functions. So all of a sudden there’s a need for lots of data protection officers in the market and products in the market offering solutions with varying degrees of success.
I think privacy is in a similar position and that much of the work around GDPR has been close to lowest denominator, cleaning databases, filling basic forms and to achieve compliance. Now the GDPR is part of the landscape and although it hasn’t been a cataclysmic event we’re starting now to see the drip, drip, drip of scandals and breaches.
I’m quite encouraged about how quickly GDPR is morphing from what are we obliged to do. For example looking at existing practices and systems and saying; Why are we catching this data? Do we need this? What are we doing with it? If you’re not sure of the provenance of your data, does it have a shelf life? Then it’s likely that it’s not working very hard for you and is a risk to your brand.
Companies now have a chance to add brand value through doing the right thing when it comes to data ethics. Particularly in parallel with companies like Uber that has become damaged by its brand. As a business to say that we can manage data properly without cutting corners is one that’s to be applauded.
Andy: The data privacy space can tend to be quite negative… is there anything that excites you about the future of data privacy?
Gilbert: I’m very much on the optimistic side. I go to a lot of conferences where people tend to focus on the negatives. For me, theWe caught up with Gilbert Hill to chat about his journey into the data privacy space, how the industry is evolving and his future predictions…most important development in the privacy space is the idea of people taking control of their data. Where there are low barriers of entry there’s going to be an opportunity for small businesses to take these principles of privacy by design and start building new services around it.
Digital identity, verifying identity and monetising consumer data are all examples of this movement. I tend not to use Star Wars analogies because they are overused, but the dark side is quicker and easier. Doing things the right way takes time and we’re starting to see the first apps and businesses that are built around those principles.
A big thanks for Gilbert for chatting to us. You can follow Gilbert on Twitter. Check out our blog for the latest privacy interviews.