Uncertainty over Brexit has made many organisations hesitate in preparing for the General Data Protection Regulation (GDPR). Despite the Queen’s Speech and the forthcoming Data Protection Act, many still have their heads in the sand about how to respond to what the Regulation demands.
One consequence is that they are failing to look through the curve at the positive outcomes which GDPR might deliver. Another, potentially more serious one, is that they are falling behind consumers’ views about their data rights and the value they place on them - ensuring these are respected and delivered was one of the major objectives of the Regulation from the outset.
To help quantify how each side of the data-value exchange is viewing this new regulatory world, the Department for Culture, Media and Sport (DCMS), commissioned London Economics, a leading politics and economics consultancy, to study both the consumer and business perceptions and consider the impacts post-May 2018.
The report represents the most sophisticated and articulate view of GDPR yet produced, especially in the way it probes consumer valuation of their rights through a choice exercise and in unpicking business perceptions. Two findings stand out - firstly, that consumers will forgo savings of 5 to 10% on their weekly/monthly domestic exenditure on transactions that involve the disclosure of significant amounts of personal data in order to have the rights which are enshrined in GDPR; secondly, that, in the words of the report’s authors, “in-depth interviews [with businesses] revealed a lack of imagination and preparedness in terms of the more far-reaching impacts of GDPR, especially second-order effects such as the emergence of new data-centric business models, and privacy and data protection as a competitive advantage.”
With publication of the report today by DCMS, DataIQ put six of the commonest responses it has encountered to GDPR to Moritz Godel (MG), associate director, London Economics and co-author of the report.
CONSUMER PERSPECTIVES ON GDPR
MG: There is strong evidence that individuals value their personal data and the value increases with the quantity and the sensitivity of the data involved. However, how much consumers care is very context-specific. Few people care that the coffee shop knows they’re inside when they use the free wifi. It’s the impact of data on their lives that consumers care about.
The idea that everything that is “personal data” under the GDPR definition is of equal importance for consumers is clearly wrong - consumers adopt a “risk-based” approach. There is also artificial confusion about “data protection” v “data security” - I’d argue that, for consumers, this often doesn’t matter. They don’t like their data being misused.
One of the key new insights from our study is that consumers place a high value on the existence of the data protection framework, including the large fines brought in by GDPR, precisely because this gives them the confidence to participate in the digital economy. The policy debate is often “consumers are afraid, so we need more data protection”, whereas the reality is the vast majority of consumers are happy to share data to participate in e-commerce, social media, etc. In the economics literature, this is called the “privacy paradox”.
There are lots of experiments that show that consumers say they value keeping their data private, but then, in observed behaviour, they are quite careless. Incidentally, this also makes a lot of the survey evidence that exists on this issue suspect: what consumers say they think/will do in relation to sharing data is a poor predictor of actual behaviour.
This is where our study makes a substantial new contribution. The choice experiment we ran on data sharing in different consumer applications (loyalty cards, smart meters, health tracking) means that we are not just asking consumers what they think, we measure how they trade off the strength of data protection against the benefits they get from sharing data.
And we find that they attach a high value to the existence of the rights included in GDPR: individuals are willing to forego savings of roughly 5% to 10% on weekly spending on shopping, monthly spending on electricity or monthly spending on health insurance in order to have the rights enshrined in GDPR. Interestingly, the existence of maximum fines for non-compliance in GDPR gets the highest valuations.
My interpretation of these results is that data protection rules provide a safety net. Companies have to be careful with data, they have to adhere to high protection standards or they will be penalised - this allows confidence to bounce back after data breaches.
This is what the graphic tries to summarise. Note that the value doesn’t depend on the exercise of the rights (eg, accessing one’s personal data, asking for erasure). In fact, industry figures say consumers very rarely exercise their rights (and this is not expected to change much with GDPR, although the big unknown here is the role of new intermediary services, data brokers, etc). It’s the existence of the rights that matter to consumers.
2. If consumers trust the brand, they will happily share their data
MG: We find that trust in brands is a big factor in willingness to share data. But data rights are seen by consumers as almost as important as brand reputation, past experience and the type of data involved in the decision to give out personal data, with data rights only seen as marginally less important. We also see that consumers are more positive about how important data rights are in these decisions than professionals.
3. Consumers understand that, if they are getting a service for free, the payment is their personal information
MG: This is certainly true to some extent. But how personal information is used and how valuable it is (and to whom) is not something that consumers (or professionals!) understand very well. We see some services springing up that try to monetise personal data on behalf of the consumer - it will very interesting to see how these develop.
After all, this is not a new idea, Hal Varian was talking about micro-payments for data in the 1990s. At the moment, there is a huge asymmetry of information which seems to favour the businesses that use the data. In our study, consumers included in the choice experiment were asked whether they were aware that personal data is being collected as part of a number of common consumer transactions. This chart shows the percentage of respondents that either are or are not aware of data collection in the three scenarios presented in the choice experiment, as well as social media and credit scoring.
In all cases, the majority of consumers are aware of data being collected about them, but the spread varies. About 15% of respondents are not aware of data collection by credit scoring agencies, which increases to 43% for smart metering.
Taken together, the evidence of the high valuation once data protection rights and trade-offs are made explicit and the evidence on limited awareness of data collection practices in different industries suggests that consumers value their rights even though they underestimate their scope (so they might value data protection rights even more if they knew how much of their data is used).
The lack of awareness that data is collected would seem to benefit firms. There is a 2004 paper by C.R. Taylor, “Consumer privacy and the market for customer information”, for example, that finds that, if consumers do not anticipate firms’ ability to use details about their past interactions for price discrimination, their surplus is captured by firms.
BUSINESS PERSPECTIVES ON GDPR
4. Businesses who already comply with DPA will have no problem with GDPR
MG: This is a dangerous assumption.
Opt-in consent is a big issue, not just for direct marketing and the brands that depend on it, but also for the charity sector. I would also add data portability as something few businesses have thought through. Although, in fairness, how it will look in practice and how big a change it will be is far from clear.
5. Businesses won’t take risks with personal information because of the threat of reputational damage
MG: Our interviews said the loss of consumer trust would be a much larger problem for them than the fine following a data breach. However, there is also evidence that companies can bounce back from reputational damage after a data breach.
There is quite strong evidence that negative shocks to company value are short-lived. Our choice experiment shows that consumers value not only protective measures, but especially fines. This could explain the apparent contradiction: the data protection framework mitigates the effect of a localised loss of trust (ie, a data breach affecting a specific data controller) by reassuring consumers that companies are incentivised to keep data safe and to react to a loss event by strengthening security.
6. GDPR is just another cost to business - it won’t drive any value
MG: For many companies for whom data is not at the heart of their business, this is probably true, but then, costs for them won’t be very high, either. For the rest, see above.
I’d argue that GDPR in the general sense of a strong, contemporary data protection framework is already driving value by giving consumers the confidence to participate in the digital economy. And the professionals we surveyed are positive about GDPR - very few see it as purely a cost issue.
On a very basic level, it’s about good customer relationships. Some of the more savvy/experienced professionals, especially in retail, see some potential in creating “transparency platforms” where consumers can manage their own privacy. While past experience with such ideas has not been great (consumers don’t use those systems much and they are expensive to set up and maintain/make useful), this could change very rapidly once we start thinking about AI-driven automated services for consumers to manage their privacy.
It is fair to say that the data industry is sceptical that GDPR will drive additional value. In our study, only 21 of the 250 of the professionals surveyed predict that the package of rights to data portability, erasure and access will increase their profitability.
But the overall picture is one of uncertainty when it comes to the benefits of GDPR. Our study revealed a lack of imagination and preparedness in terms of the more far-reaching impacts of GDPR, especially second-order effects such as the emergence of new data-centric business models, and privacy and data protection as a competitive advantage.