As Grace Slick Once Said: Go Ask Alice
Back in 1965, well before GDPR, or before people in our world were discussing Alice and Bob, singer/songwriter Grace Slick (Great Society, Jefferson Airplane, Jefferson Starship) composed a song, White Rabbit. A refrain from that song might well be the theme for today’s post. Following up on yesterday’s look at how PDEC members view the GDPR, Grace Slick sang, “Go Ask Alice, I Think She’ll Know.”
Permission and/or Consent from Alice, in the Alice and Bob archetype, is one of the keys to compliance in the GDPR. An example I like to use is Alice’s hat size. When Alice shops at Harrods, and buys hats of a certain brand, the size there is always Medium, 57cm, UK Size 7. But when she goes to The Stephen Jones Millinery in Covent Garden, the way hats are made there, her size is Medium, 56cm, UK Size 6 7/8.
Some hats have bands inside of varying degrees of thickness, which affects the size and fit, as well as the look. Alice knows this and wants to control what hat size data (personal data!) is sent where.
Why is this important? Because Alice can’t have a Personal Data Store or Vault with just one hat size, that she can enable Bob (or, in this example, Bob’s Fine Hat Shop) or all the Bobs she might ever deal with, to have access to. Part of the intent, and to a degree the beauty of the GDPR, is that it gives Alice control over what data she shares with which or with what entity, or entities. And Alice can pinpoint exactly which specific, individual data point(s) those might be. Alice’s choice. Not Bob’s choice.
Imagine if this were more sensitive data.
Or more valuable data, to Bob or other sorts of Bobs, or, as intended by the GDPR, just not data of Alice’s that the Bobs of the world can trade, sell, gather, and make a market in WITHOUT consent from Alice.
Hat size is a handy metaphor. Hats, like dresses, shoes, pants, shirts, and many other articles of clothing, vary in size by label, country of origin, size metrics of country. Extend this metaphor to more personal products and the sensitivity level increases. Alice is less likely to want this data shared at all.
Health data also falls under the rubric of extremely sensitive personal information. Medical history, test results, the tests themselves, all can be put to ill-use in the wrong hands. Health data is personal, also quite valuable. And thus gain may be made with this data. Some – not all -doctors, hospitals, clinics, and laboratories have made use of collected data for profit, as a matter of course. Prior to May 25th this was acceptable. After May 25th it is a different story.
This concept of Data having Value, or Personal Data being commoditized, brings us to a PDEC view of the matter. The Personal Information Economy side of the coin.
It’s time to think of Alice like the Cuba Gooding character in the Jerry Maguire movie. Alice should be yelling, “SHOW ME THE MONEY!”
If Alice’s hat size or her medical records (or household income, make of car, birthdate, gender, level of education, postal code, years at her/his place of employment, number of pleasure or business trips taken per year, last movie seen, how often he/she dines at a restaurant, etc.) has value to those who collect and sell these data, then why isn’t Alice getting paid for the use of that data?
Under the terms of the GDPR Alice has the right to refuse to permit data from being shared. Alice can also refuse to be tracked while browsing the web.
Again, as discussed yesterday, we are back to the transit of Alice’s data. What is the process, how do the various Bobs get the data from their Alices, remaining in compliance with the GDPR? How do the Bobs remain current with [their many] Alices’ wants and desires to express changes in her shared data? What process is in place, and GDPR-compliant, for Alice to make any changes (in hat size, or perhaps pants size if Alice has gained or lost weight), or in consent or permission with regard to allowing or disallowing sharing of those data? How does data go back and forth between Alice and the Bobs in her life?
Those “Bobs” are legion. Stores of many kinds, doctors, insurance companies, mobile phone carriers, banks, brokerage and loan companies, the utility companies. And then there are those online accounts, such as Venmo, eBay, PayPal, Ing, Netflix, Lyft, and so on.
Is it too soon to ask Alice? Are we being overly optimistic by saying, Go Ask Alice, I Think She’ll Know? What are the products and services that focus on the Alice-to-Bob encrypted flow of Personal Data? Bobs, be they large or small, have systems in place. Do those systems allow for the transit of data under GDPR guidelines? We hear all about protection and encryption of data, but what of the exchange, allowing Alice her control of her Personal Data?
Look at the PDEC Logo and heading at the top of this page. What does it say, right below Personal Data Ecosystem Consortium?
Empowering People with Their Personal Data.
This focus is key to PDEC membership. We want to feature our PDEC members offering these in keeping with GDPR services.
In yesterday’s member email and PDEC blog post we posed some of these questions. To our delight there was some immediate response. We interpret that as an indicator of early initial response, and that more of you have also addressed these Alice-side issues. Let us hear from you.
We’ve also had some early discussions about guest blog posts and guest member services mailers. Don’t be shy! We welcome your input and are eager to share thoughts and opinions. There have also been some pro and con Blockchain conversations, each side being quite passionate in their position.
If you want to share your thoughts with us but remain anonymous, we will honor that, as well.
PDEC is here to be of help, to share ideas, to work with our members and help one and all grow in the Personal Information Economy.
######
One more thing! Getting back to hats: there are those who take hats very seriously. Did you know there is such a thing as Hat Etiquette? Take a look at Christy’s of London, in the business of making hats since 1773.