Which Accountability Category Do You Fit In?
For the past month, IAF staff has been working to turn the IAF data protection principles released last Summer into legislative language. It has been our observation that “legislative text” is the more comfortable lingua franca for policy makers in the U.S. Creating legislation from principles is a very humbling experience. The principles seem so straight forward, particularly when they have been developed over the greater part of a decade in one IAF project after another. The IAF team can catalogue the concepts in the principles to the projects where they were tested. But translating the concepts into legal burdens for organizations tying to multiple stakeholder interests or regulators charged with keeping them within legal bounds, it is not so simple. It quickly became apparent that what seems clear and what the team has taken for granted is mysterious for others. The license to break glass through more complex data processing and data use involving, for example, advanced analytics is an agreement to have processes in place so the interests of all stakeholders, as reflected in both positive and negative consequences, are taken into consideration. Moreover, the processes must be conducted with honesty and competence. But when should an organization carry that significant burden?
Accountability 1.0 is for organizations of all sizes and complexities. It requires organizations to have policies that link to the law, mechanisms to put them in place, security safeguards, internal oversight, and documentation for basic processes. Accountability 1.0 is scalable to organizations of all sizes and complexities. Tools and generic templates may be built by third party vendors, trade associations, and even regulators.
Accountability 2.0 is for the glass breakers, such as those who use data from sensors, employ artificial intelligence and machine learning, create inferred data, or make probability-based decisions on people. Demonstratable accountability 2.0 is the license for breaking glass. Therefore, accountability 2.0 requires policies, implementation rigor (including assessments), internal reviews, individual recourse and a different rigor of oversight. For the glass breakers, accountability 2.0 is the cost of doing business with data that is very impactful in creating positive outcomes for individuals and society (and shareholders) and can result in the increased loss of private space and the potential for more negative consequences. While the
components of an accountability 2.0 based program are the same from organization to organization, they need to be customized to be effective.
So how is a law written that differentiates the data glass breakers from the organizations that are not and will not be data glass breakers? How are markets split into those upon which it is and is not reasonable to bear the regulatory burden? For the IAF, it has not been so hard to discuss these distinctions conceptually but translating these concepts into legislative framed rules has been much more difficult.
To illustrate, a few scenarios are described:
Global Fashion Chain Company has stores on every continent. The brand is high fashion, from designer runway to store in weeks, with inventory changing rapidly. It drives traffic by understanding its market and creating an experience that gets its customers to its chain’s stores to see what is new. Data is aggregate, and sales are not targeted to individuals. Data is used to complete transactions and is not used to target individuals. The fashion chain may break glass but not with very personal data. It is a large company, consumer oriented but not a data glass breaker. It fits into accountability 1.0.
Digital and Brick and Mortar Retail This retailer has customers who shop both in its stores and online. Often the customers will shop the stores and then purchase online, and often they shop in reverse. The company tracks what its customers shop for and buy. It links the online and offline experience in identifying the customers who have shopped online when they walk into the store with their phone. It analyzes all the data related to the consumers and augments the analysis with purchased data. It uses a service to link consumers with their phone, PC and tablet, all their touch points. It uses analytics to set prices and works with suppliers to predict new products that will sell. It is a data innovator and fits into accountability 2.0
Scientific Research Driven Pharmaceutical Company This company’s stated mission is to make money by using the scientific method to create new drug-based cures. The company collects most of its personal data about patients through clinical researchers. The clinical research is governed by strict oversight rules developed by governments but implemented through ethics boards. The company will increasingly use data from clinical and medical outcomes environments to create insights to improve the research method. But the company will only use the data in closely related activities. It is a large company with data used according to protocols that evolve slowly governed by a tradition of process oversight and regulation. It fits into accountability 1.0.
Medical Device and Medicine Delivery Company This company is looking to innovate by creating delivery methods that are autonomous that will augment linked medical devices. To understand the risks related to such delivery methods, it has sensor data to enhance its knowledge of how people behave. This approach requires data from many
sources to be linked together. To link the data together, it both purchases data and uses vendors. The data is processed in a de-identified manner, but the keys are readily available to link new data to existing data sets. The insights are transformed into inferred data. It is a data trend setter and fits into accountability 2.0.
Data Enhancement Startup The company currently only has ten employees and almost no revenue. Most of the employees are data scientists and engineers proficient in data hygiene. The company is working with potential clients to better understand how to build advanced predictive platforms. The company does not source data directly from individuals. However, it is using the data to perfect its own systems and is creating inferred data from its insights. It fits into accountability 2.0.
On one hand we have a global fashion brand that breaks glass with the way it merchandises, but it does not use data that is impactful on individuals. On the other hand, we have a tiny company, with no data, that is generating inferred data that may well be impactful on individuals. Thus, it is clearly not organization size that defines the split. Also, the industry does not define who is a data trend setter. Also, the amount of data does not define who fits into accountability 2.0. Rather, who will be subject to additional obligations is something very different. Placing a bright-line label on that cut point is an interesting challenge. It is a challenge we are working on today.
There is a challenge for you as well. You will live with new legislation for a generation. If you were writing the break point between obligations and rigorous obligations, what bright-line criteria would you use? And where would your company fit today, two years from now, and by 2025?
We are very interested in your thoughts. If you are an IAF member company, please place the June 26 summit on your calendar.