Good data governance is good business

Trust is the real currency of the digital economy, according to Katryna Dow, founder and CEO of life management firm Meeco.

“In the wake of massive data breaches at companies like Facebook and Equifax and in the light of regulations such as the GDPR [General Data Protection Regulation] or open banking, we are at a crossroads around three points of tension,” she told Computer Weekly.

First is regulation or compliance regarding consumer data protection, said Dow. Second is tension around commercial models, which are in flux because of problems created by the way data has been traded, has not been secured well, and the lack of liability. Third, there is tension around the emerging technologies that are enabling new business models.

“We need to move away from ‘digitised’ to ‘digital’ because a lot of companies have been focused on digitising their processes instead of making them truly digital,” she said. “In an attempt to create a digital channel, they are doing things like putting forms online, instead of thinking about tokenising identity, access, authentication and authorisation, as well as about how to remove friction and improve compliance.”

As a result, there are some new roles that are emerging in the ecosystem, said Dow. “There is more and more need for a relying party to feel that they can trust where the data is coming from, trust its provenance, and trust who is supplying it and who is vouching for it.”

With the explosion of internet-connected devices making up the internet of things, Dow said there are now many more things to trust, authenticate and authorise.

“We need to get the utility layer right around consent, otherwise it becomes just another bad cookie policy,” she said. “In addition, we desperately need better governance and transparency around how data is collected and protected.”

Against a background of changes in the digital landscape, such as blockchain and other distributed ledger technologies becoming more mainstream, organisations are being forced to start thinking about new models, said Dow.

“In this context, the hallmark of anything that is futureproof – be it a society or company – is going to be the willingness to share the data that it collects about its people for mutual value,” she said.

In response, said Dow, Meeco is focusing on four big problems that need to be solved – compliance, cost, consent and collaboration.

“The problem of cost includes the rising cost of bad data, which is estimated to cost $3tn a year in the US alone, and the cost of data breaches,” she said. “And when it comes to consent, the problem is that, in many cases, people do not really understand what they are agreeing to.”

Collaboration is an area of particular focus for Meeco, said Dow, because the future of data and identity will enable personalisation of services, but that potential will not be realised without a solid foundation of trust in the digital world.

“The future of personalisation can only happen if we can land on a trusted ecosystem – the ability for people to bring data from different bits of their lives to enable integrated personalised experiences that are underpinned by identity, authentication and authorisation, and where each contributing service provider manages that data appropriately,” she said.

But Dow warned that unless service providers start thinking about how to approach identity and access management to unlock that potential, they will miss a “huge opportunity for innovation”.

To unlock that, Meeco is focusing on progressive disclosure and zero knowledge proofs. “This is all about having the ability to share a secret without giving the secret away or showing proof of knowing a secret without sharing the secret, how I know it or where it came from,” she said.

“So going back to the ecosystem of trusted actors, it will mean, for example, that people can prove they are over 18 without giving away their actual date of birth. It is about finding ways of turning data into attestation backed up by either provenance or a trusted, verified third party.”

According to Dow, these third parties could be existing regulated markets that already have responsibilities, such as banks, telcos, governments and utility providers that are already generating documents that could be used for attestation.

“The core of the business model opportunity we see emerging is the case for progressive disclosure, which takes three basic stages or steps,” she said.

The first is a “drive by” approach, which in a mortgage application, for example, there are only a few things a bank would need to know, such as age, income and existing mortgage, to assess whether or not to move to the second, “tell me more” stage, such as proof of income, mortgage payments, and the amount the applicant wants to borrow.

“Finally, based on the information provided in the first two steps, the business logic should be able to determine the likelihood of the organisation offering any applicant a mortgage up to a particular value,” said Dow. “And the risk to the person’s credit score, identity and personal data has been minimised.”

Only at the point that business logic determines that there is a high likelihood of offering an applicant a mortgage is the data verified, collected and processed. “It also enables the organisation to say ‘maybe’ rather than ‘no’ and telling potential customers what they need to do to qualify,” she said.

This approach is about applying business logic to data to take advantage of the data portability being enabled by GDPR and open banking (PDS2), said Dow.

“The idea of people just getting their data and backing it up is not really going to create any net new value,” she said. “There are not going to be any economic incentives in that and there isn’t necessarily any improved security. So unless we can find a way of people doing things in a more convenient and trusted way, then we are not really going to see a return on all of these increased data capabilities.”

According to Dow, many organisations still fail to see the business opportunities enabled by establishing a trust relationship with their customers.

“They are still seeing it as a compliance burden, so they are missing the opportunity for business innovation through improved business processes and applying business logic to the data they have at their disposal,” she said.

A 150-year-old insurance company, for example, could think about using its actuarial expertise to power fintechs and other startups as partners.

“So instead of locking it in their own organisation, they could use that risk capability to partner into different marketplaces,” said Dow. “It is about taking a core product and thinking about it in a completely different way to enable a data-driven outcome.” 

Dow will discuss these topics in more detail in a session entitled “Progressive disclosure: How zero knowledge proofs enable CIAM” at Consumer Identity World Europe 2018 in Amsterdam from 29 to 31 October.