How Data Informs Business: Data Policies for Building Trust | Saylor Academy

Policies for the Data Economy

Data Policies for Building Trust

What is at stake

Policies ruling the data governance framework require as much attention as is given to the need for robust management of data infrastructure. This section focuses on data protection and privacy, as well as data security policies. Countries are struggling with how to build trust in the digital data economy. Policy considerations in many cases are similar to those posed by 'analog data'. Personal data, whether machine generated or not, is subject to the same privacy rules in Europe as analog, for instance. The World Intellectual Property Organization argues that no additional intellectual property protection should be awarded to machine-generated data beyond the traditional ones, nor should it be awarded less. A recent paper by the World Bank and the Consultative Group to Assist the Poor (CGAP), looking at the use of alternative data to build credit histories for greater financial inclusion, frames many policy questions that, at their core, do not vary much from those posed by the use of other kinds of data. If countries can tackle key aspects of trust policies, they will be well on their way to creating a better environment for the digital data economy.

Data protection and privacy are critical policy issues for the data economy and are key to building consumer trust. These are two separate but intertwined concepts. Data protection refers generally to the protection of personal data, though it may also be used in the context of commercially sensitive data. A common definition of personal data was cemented by the EU in its 95/46 Directive, as data that identifies a person, or allows such identification by cross-referencing it with other available data. Privacy is a broader concept, which has sometimes been defined as the right to be let alone, and it refers not only to data, although it partially covers it. What is at stake for either goes beyond keeping personal or embarrassing information from others. Big issues are how the data will be used and the risks that it will exclude people (such as, for example, by making people ineligible for insurance or credit) or be used for price discrimination, to suppress competition, or to manipulate people (such as, for example, through the crafting of news that could swing elections). This chapter uses 'data protection' and 'privacy' interchangeably.

Big data provides an example of the massive challenge to privacy in widespread use of technology. Big data preserves privacy by detaching information from individuals and repurposing it. However, by taking multiple, anonymized data sets and triangulating them, you can begin to break down that anonymity. For instance, take information about all the journeys that people have taken over the past year from a taxi service. This data alone is not necessarily sensitive, but if you combine it with venue information and social media, you could conceivably make assumptions about an individual who ended or began journeys at a known lesbian, gay, bisexual, and transgender (LGBT) destination. In countries where this is condemned by law, this information could result in people being sent to prison or worse.

The struggle between the need to protect privacy and allowing big data to continue to improve the way we live without quashing innovation is unlikely to be resolved easily. It remains to be seen how effective new laws, such as the GDPR, will be in achieving either of these aims. One certainty is that data production will not slow down and neither will the development of new ways to use it – legislators face an uphill battle to keep pace.

Trends in principles in protecting data privacy

Data protection laws have been in place for a while, with privacy rights protected as early as in ancient Roman times. Even though the right to privacy was not recognized as such by Roman law, several privacy violations, such as the invasion of the sanctity of one's home, were covered under the law. However, the numerous issues brought up by the sheer volume of data that can be collected about a person through online personas and questions about who can do what with those data, or who 'owns' that data, have brought privacy concerns to the forefront of the news and therefore to the desks of policy makers.

Technological developments are pushing policy makers to either amend existing privacy legislation or pass new legislation. The EU 95/46 Directive was replaced in May 2018 by the GDPR. Even international standards, such as the OECD Privacy Guidelines, or the APEC Privacy Framework, were recently revised or expanded to accommodate these developments.

The GDPR is likely to have a trickle-down effect as other countries revise data protection legislation, and it is already having extraterritorial reach in private sector behavior. Consumers around the world are getting notices of revised privacy policies by global companies in compliance with the GDPR, and some content websites outside Europe have refused access to European consumers because they could not ensure compliance with the GDPR.

Among the regulatory trends in the privacy space, the more salient are focused on a risk-based approach to compliance and on proactive measures to protect privacy, as opposed to measures in reaction to a breach. 'Privacy-by-design' standards require companies to embed technological measures protecting privacy in their product and service design, for instance, to ensure anonymity of users. The concept of privacy by design was developed by Ann Cavoukian, former Information and Privacy Commissioner in the Canadian Province of Ontario.

The GDPR takes this one step further by carving out the related concept of 'privacy by default'. With privacy by default, the expectation is that companies and those processing or controlling the data will put in place mechanisms to ensure that only those items of personal information needed for each specific purpose are processed 'by default'. The main principle is to be proactive rather than reactive and preventive instead of remedial. This is a practical approach for emerging markets to consider, since it can help enforcement, give the private sector a more proactive role, and help prevent privacy violations and data breaches. The capabilities of the local private sector would need to be considered, as well as a plan that would help them ease into this approach should they not have the necessary resources or skills to do so.

Another trend is a strong focus on data security, preventive as well as once a data breach has occurred, on breach notifications. This important corollary to privacy protections is discussed in more detail below

A legal framework is increasingly a necessity, not a luxury

The need for a legal privacy framework is no longer questioned, even in emerging markets that perhaps are used to seeing privacy at some point as a 'luxury' right. According to the United Nations Conference on Trade and Development, 108 countries either had data protection laws or some kind of law that deals with data, whether in force or not, as of April 1, 2018. However, levels of protection, particularly enforcement, vary widely, even within countries with legal frameworks. In the nearly 30 percent of countries with no laws in place, personal data receives little or no protection, reducing trust and confidence in a wide range of commercial activities. A lack of or weak regulation put these countries at risk of being cut off from international trade opportunities, because many trade transactions require cross-border data transfers that comply with minimum legal requirements.

The GDPR brings additional incentive to strengthen data protection regimes for countries without one or with weak regimes. With a clear objective for extraterritoriality beyond EU borders, the GDPR introduces fines of up to €20 million, or 4 percent of global turnover, whichever is higher, for firms that are data processors or controllers and found not to be compliant. Firms in emerging markets may be subject to those fines if they are found not compliant. This could happen, for instance, to firms with no or little physical presence in the EU, but whose advertisements target EU consumers. Enforcement could be done through the branch office or subsidiary located within the EU of the firm from the emerging market.

Issues to consider when enacting or updating a legal framework

Follow the principles

Numerous countries have identified the need for coordination and cooperation in privacy and data protection. Most have used regional bodies, such as the EU or Asia-Pacific Economic Cooperation, as the vehicle for that cooperation rather than international agreements. These bodies have enacted guidelines or regulations and, not surprisingly, many principles are common among them. Countries considering enacting or updating privacy legal frameworks can reference those common principles. These include principles shared by the European Convention on Human Rights, the OECD Privacy Guidelines, the APEC Privacy Framework, and the GDPR.

Raise awareness, highlight key issues, engage relevant stakeholders early on

at least 35 countries are currently drafting data protection laws to address this gap. A number of economies are also considering reforms to legal frameworks, including to the extent that it may be affected by extraterritorial application of the EU's GDPR. However, drafting and implementing data protection laws is time consuming and challenging. Surveys by UNCTAD of government representatives in 48 countries in Africa, Asia, and Latin America and the Caribbean point to the need to build awareness and knowledge among lawmakers and the judiciary to formulate informed policies and laws in data protection and to enforce them effectively. More than 60 percent of respondents reported difficulty understanding legal issues related to data protection and privacy. Similarly, 43 percent noted a lack of understanding among parliamentarians and 47 percent among police or law-enforcement bodies, which can delay adoption and enforcement of data protection laws.

Another study, covering 22 of the globe's largest information and communication technology (ICT) firms, found that none of them disclosed adequate information about privacy practices and how user information is collected, shared, retained, and used. Requests by governments for access to such data are growing, with most emanating from the United States (figure 6.2).

Figure 6.2 Government requests for user data

As with any other legal issue, when developing a legal framework, it is important to engage the main stakeholders early on. This will allow countries to understand potential issues and to get their buy-in and build capacity for implementation. Some countries, like Mexico, have put together a comprehensive effort to raise awareness of these issues with the different government branches, including at the state level. With the support of a World Bank project, the Ministry of Economy in Mexico commissioned a thorough review of existing legal issues and gaps and put together a training package for the judiciary, parliamentarians, and state government officials. This helped Mexico not only to identify issues, but also to prepare for implementation.

Other countries, particularly in Eastern Europe, have benefited from twinning programs with an existing data protection agency in another country that has provided technical assistance in the setting up of both the legal framework and their counterpart agency. It is also important to identify potential issues and concerns for private sector stakeholders at an early stage. Countries in the Latin American region support each other in such initiatives through the Ibero-American Data Protection Network. Seychelles is reviewing its data protection framework andOther countries, particularly in Eastern Europe, have benefited from twinning programs with an existing data protection agency in another country that has provided technical assistance in the setting up of both the legal framework and their counterpart agency. It is also important to identify potential issues and concerns for private sector stakeholders at an early stage. Countries in the Latin American region support each other in such initiatives through the Ibero-American Data Protection Network. Seychelles is reviewing its data protection framework and is conducting stakeholder consultations. This will help its government put together a framework taking into account potential obstacles for implementation, including those that could come from a lack of private sector capacity or other country-specific issues.

Consider the legal culture

As seen in chapter 4 and figure ES.4, the level of tolerance for giving up one's privacy varies from country to country, and from individual to individual, with some citizens putting greater value on protecting their credit card information and others placing greater value on protecting their health information. For any country considering enacting a new privacy framework, this cultural dimension will be critical. A reflection of these cultural issues can be seen in the different approaches to privacy taken by the EU and the United States. In the EU, the right to privacy, but also the right to have one's personal data protected, are considered fundamental and are recognized in the Charter of Fundamental Rights of the European Union. This approach has resulted in the EU having an umbrella data protection framework that does not distinguish between data being held by private or public actors, and which contemplates only a few exceptions, such as in the area of national security. But the EU is not alone in considering privacy a fundamental right. Even in India, where this was no explicit right to privacy, India's Supreme Court found recently that privacy is a fundamental right protected by the constitution. In the United States, by contrast, privacy is not recognized as a fundamental right. Although constitutional limits on the government's intrusion into individuals' right to privacy can be found in the Fourth Amendment, and to some extent in the First and Fifth Amendments, the right to privacy is more of a balancing act against other rights, including very strong rights to free speech and freedom of information. This has led to a more segmented approach to privacy protection, with, for instance, a Privacy Act for children, and for the health sector (Health Insurance Portability and Accountability Act). These deal with data held by government entities and are complemented by different pieces of legislation for data held by commercial entities. The international trend has been toward more comprehensive privacy frameworks, however, and even in the United States several bills have been introduced for 'omnibus privacy laws,' although they have not yet been adopted.

by the constitution. In the United States, by contrast, privacy is not recognized as a fundamental right. Although constitutional limits on the government's intrusion into individuals' right to privacy can be found in the Fourth Amendment, and to some extent in the First and Fifth Amendments, the right to privacy is more of a balancing act against other rights, including very strong rights to free speech and freedom of information. This has led to a more segmented approach to privacy protection, with, for instance, a Privacy Act for children, and for the health sector (Health Insurance Portability and Accountability Act). These deal with data held by government entities and are complemented by different pieces of legislation for data held by commercial entities. The international trend has been toward more comprehensive privacy frameworks, however, and even in the United States several bills have been introduced for 'omnibus privacy laws,' although they have not yet been adopted.

In some countries, the use of alternative sources of data (such as credit history downloads from a mobile phone) has revolutionized financial inclusion, allowing consumers with little to no credit history to access credit, but could also further raise the bar for others to ever be able to access credit. However, the use of those same data can lead to price discrimination on the basis of race or gender, or to denial of credit because of data inaccuracy. Questions arise about where to draw the line and whether the basis for government action should only be preventing harm. For those who view privacy as a fundamental right, there is no need of injury for a government intervention, while the definition of injury can be as broad as contravening a person's expectations with regard to respect for their privacy.

Other considerations: Extraterritoriality, trade issues, and cross-border data flows

A key privacy policy issue with potential for big effects on a country's economy is the regulation of cross-border data flows. McKinsey Global Institute estimates that flows of data and information now generate more economic value than the global goods trade. Although many of these data flows are concentrated in a handful of large companies, some, such as eBay, Amazon, and Alibaba, are really platforms allowing SMEs all over the world to becoming mini- exporters, with an impact across multiple economies. And individuals are not being left behind. About 900 million people have used international connections on social media to connect to networks to find a job, and 360 million take part in cross-border e-commerce.

Data transfer policies

Companies need to transfer many different kinds of data across borders in the regular course of business. Those may include data related to commercial transactions, their own internal operations, monitoring supply, human resources data of global employees, and product support in real time. Countries that regulate data leaving their borders often do so on the basis of privacy and data security concerns. Already in the 95/46 Directive, the EU regulated data transfers outside of the EU, and transfers were only allowed to countries the EC determined had adequate data protection. So countries with lower standards risk cutting off opportunities for firms or individuals in their countries from using platforms, websites, or activities involving the transfer of data with EU countries. Governments contemplating restrictions on data transfers outside their borders based on privacy and data security, above those of existing international standards, may discover that global companies decide that it is simpler to block consumers in a particular jurisdiction from accessing services than to try to comply with the data protection rules of that country. This is the recent example of U.S. advertising technology companies. Having data policies out of line with larger regional players is a particular problem for small markets in developing countries that are not part of a wider trade bloc.

Self-regulation, if it complies with required international standards, is another option. Given the reality of global commerce, even the EC has allowed the use of some self-regulatory tools to ensure adequate protection of data outside of its borders under the 95/46 Directive. Global companies could issue binding corporate rules or policies that are internal to a group of companies and become binding once approved by the relevant data protection authorities. They could also use model contracts with their subsidiaries that would ensure adequate protection of personal data. The GDPR expands existing mechanisms and introduces new tools for international transfers. It offers, among other things, adequacy decisions, standard contractual rules, binding corporate rules, certification mechanisms, codes of conduct, and so-called derogations. Countries considering these options have to consider enforceability of instruments like the codes of conduct, and what happens if an institution does not follow its code.

Beyond self-regulation, another option could be specific bilateral agreements between countries, whereby smaller countries offer mutual recognition of rules applied in larger trade blocs, such as the EU, similar to the approach used in type approval (that is, homologation) of customer premises equipment. The EC signed an agreement on International Safe Harbor Privacy Principles, whereby certain companies subject to the FTC's jurisdiction would commit to protect data abiding by the same principles spelled out in the directive. This allowed many companies in the United States, which did not have an 'adequacy' finding from the EC, to still transfer data to and from Europe. The Safe Harbor agreement has now been replaced by the Privacy Shield agreement.

But even if countries do not impose particular restrictions on data flows, having to comply with different sets of data protection rules in different countries becomes costly for companies, and a de facto trade barrier. This has led some companies to apply the EU standards to their worldwide operations, as they are considered some of the most stringent, hoping to minimize compliance costs.

Data localization

Data localization policies, in addition to data transfer policies, affect cross-border data flows, international trade, and access to global markets. Data localization rules require firms to locate data servers or data centers within the borders of a country to store and process information. Studies show that data localization and other barriers to data flows impose significant costs: reducing U.S. GDP by 0.1–0.36 percent; causing prices for some cloud services in Brazil and the EU to increase by 10.5 percentage points to 54 percent; and reducing GDP growth from 2.4 percent to 1.7 percent in Brazil, China, the EU, India, Indonesia, the Republic of Korea, and Vietnam, which have all either proposed or enacted data localization policies.

In Rwanda, the regulatory body, the Rwanda Utilities Regulatory Authority, went a step further and imposed a fine of US$8.5 million in May 2017 on the mobile operator MTN for storing customer data in Uganda. This is equivalent to about 10 percent of its annual revenue, and the decision is likely to have a chilling effect on foreign investment into the country, as well as deterring foreign firms from offering services there.

Defenders of localization laws cite national security, protection of personal data, local cultural and historical context, and economic nationalism as arguments; opponents see such laws as a major barrier to trade and competitiveness. Localization creates its own set of winners and losers in the domestic market. It has been argued that localization laws benefit larger firms at the expense of smaller firms that often do not have in-house data skills and must often pay more per unit of data stored at local firms than might have been available from international data hosting services.

On the other hand, localization laws can shelter local firms to develop skills and capacity without the threat of competition from international firms. Opponents also cite issues such as poor data security (as many countries with localization laws lack the skills to handle data securely) and the risk that localization requirements can soon become more pervasive and expand to include other types of data.

Balancing other rights

Data protection and privacy are not absolute rights and need to be balanced against other rights. Some of those rights are access to information, freedom of speech, and the protection of national or personal security interests. Different countries place different emphasis on different values. For access to information, the benefit or the public good of divulging certain information needs to be balanced against an individual's right to privacy. It is generally accepted in many jurisdictions that individuals with a public persona have a lesser expectation of privacy than others. For instance, there is legitimate public interest in knowing whether a lawyer who is prosecuting a case of sexual harassment is practicing what they preach. But even here, public figures are increasingly bringing cases involving the violation of privacy and sometimes winning compensation for alleged defamation of character.

Implementation issues

Enforcement

As with any laws, when considering privacy laws, enforcement is a key issue. Whatever the framework, it is only as worthy as its enforcement. Even absent a specific privacy framework, a strong enforcement agency can still protect people's rights through an interpretation of other existing laws. This has been the case for the U.S. FTC. The FTC has been a strong enforcer of privacy rights by implementing a more general statue, the Federal Trade Commission Act, which gives them jurisdiction to protect consumers from deceptive or unfair acts or practices. Examples of recent cases include privacy cases against Uber, Lenovo, VTech, and Venmo.

The reverse is also true. Countries with strong legal frameworks on paper that are nonetheless not enforced remain at the same level as countries with no framework at all. Countries considering institutional arrangements for their laws can look at different models of good practices around the world. The EU GDPR calls for the establishment of independent data protection authorities. Following this model, some economies have chosen to establish a standalone data protection authority, including Canada, Mauritius, and South Africa. Other countries have chosen to merge that independent authority with the authority protecting access to information rights, such as Mexico and the United Kingdom. Other countries, such as the United States, have jurisdiction spread among several agencies, with the consumer protection agency as one of the main enforcers. Yet another model brings the enforcement powers for privacy laws under the Ministry of Justice, such as in Argentina.

No absolute right or wrong way to think about enforcement exists, as long as the end results are there and the law is enforced. Important considerations are identified in the OECD Privacy Guidelines, and include encouraging and supporting self-regulation, whether in the form of codes of conduct or otherwise; providing for reasonable means for individuals to exercise their rights; providing for adequate sanctions and remedies in case of failure to comply with privacy frameworks; and ensuring no unfair discrimination against data subjects.

Emerging market economies need to consider what is feasible within their own contexts, taking into account the budget and skills required. Enforcement alliances, both with other local enforcement agencies, including criminal, as well as with international enforcement agencies, can help greatly.

Enforcers can also have a role in continuous awareness raising, both for the data subjects and for those who manipulate the data.

Course Introduction

Course Syllabus

Unit 1: Introduction to Data-Driven Decision-Making

1.1: What is Data-Driven Decision-Making?

Data-Driven Decision-Making

Data-Driven Decisions

Project Lifecycle

More on Data-Driven Decisions

1.1.1: Data-Driven Information

Making Data-Driven Decisions

Data-Driven Decision Support

1.1.2: Data-Driven Learning

Process Indicators

Goal-Setting for Achievement

1.1.3: Data-Driven Science

Theory Driven or Process Driven Predictions?

Learn Data Science

1.2: Using Data-Driven Decision-Making in the Real World

Data-Driven Development

Using Data Responsibly

How Data Informs Business

Decision-Making in Management

The Advantage of Digital Decision-Making

The Effects of using Business Intelligence Systems

Unit 1 Discussion

Unit 1 Study Resources

Unit 1 Review Video

Unit 1 Review Slides

Study Guide: Unit 1

Unit 1 Assessment

Unit 1 Assessment

Unit 2: Transforming to a Data-Driven Decision-Making Enterprise

2.1: DDDM Implementation Continuums

Developing an Analytical Mindset

Data-Driven Decision-Making Change Model

2.1.1: Data/Technology

The Data and Technology Continuum

2.1.2: Organizational/People

The Organization Continuum

2.1.3: Process/Workflow

The Process Continuum

2.2: Critical Success Factors

Critical Success Factors

Unit 2 Discussion

Unit 2 Study Resources

Unit 2 Review Video

Unit 2 Review Slides

Study Guide: Unit 2

Unit 2 Assessment

Unit 2 Assessment

Unit 3: The Role of Leadership

3.1: The Role of Leadership

Leadership Needs in the 21st Century

Becoming a Data Driven PM

Embracing Big Data and Data Analytics

3.2: Leadership versus Other Critical Success Factors

Leadership and Innovation

3.3: What Is Effective Leadership?

Effecitve Leaders

Effective vs. Poor Leadership

Leadership Development Practices

Unit 3 Discussion

Unit 3 Study Resources

Unit 3 Review Video

Unit 3 Review Slides

Study Guide: Unit 3

Unit 3 Assessment

Unit 3 Assessment

Unit 4: Types of Data

4.1: Quanitative Data

Qualitative versus Quantitative Data

Characteristics of Qualitative and Quantitative Data

4.2: Qualitative Data

Qualitative and Quantitative Data

More on Qualitative and Quantitative Data

Quantitative versus Qualitative Data Summary

4.3: Big Data

What is Big Data?

Big Data in New Product Development

4.4: Types of Analytics