I spend a fair bit of time talking with regulators and other companies – naturally there’s now a lot of focus on implementation.
Companies are starting to work through compliance plans
Regulators are still trying to create guidance on the GDPR. Its huge.
The same applies to FB. We already have an extensive programme.
We are in a probably unusual position in the degree of attention privacy gets within the company. [say more about what we have –
Programme team XFN Privacy engineering 100s of privacy professionals
But I want to step back from questions of compliance, and reflect upon the way personal data is changing within the economy.
I’m conscious that I’m speaking at a CDO conference not a legal conference, and this is why I chose this angle.
We could forsee a future in which:
- Regulators feel that companies, large and small, understand the GDPR and are complying - Consumer trust is rising and confidence around data is improving - Companies are able to operate and innovate, and have a clear and predicable set of rules to comply with - Sensational headlines are a thing of the past – fines and sanctions are used sparingly
I would call tat success.
That is what I believe the EC has intended to be the result.
But this is by no means assured. Another version of the future is this: - Regulators feel that companies are paying lip-service to the rules, and hiding behind their lawyers. Small companies in particular are largely unaware of the GDPR, let alone how to comply with it - Consumer trust continues to decline; people feel they are continuing to lose control - Companies are fearful of unpredictable regulators and opaque rules and standards, and innovation is chilled, as Europe becomes a high risk territory to launch new services - Sensational headlines continue to stoke generalised discontent
SLIDE: FAILURE: I would call this failure.
So, we’re at a critical juncture.
Both of these versions of the future are entirely possible. Which one becomes the reality has little to do with the actual rules set out in the GDPR. Those rules are perfectly capable of delivering either of these futures. Success (or failure) is dependent on a range of other factors. I want to talk about those other factors.
To bring out those other factors, I want to refer to a research programme I initiated when I joined FB.
This programme was focused not on the law or how companies can comply with it, but on understanding the factors that will help to ensure we achieve the first of the two scenarios I painted, not the second.
Report, called “A New Paradigm for Personal Data - Five Shifts to drive trust and growth.”
The Paradigm Shift that the report refers to is referring to a shift from a “trade-off environment”, to a sustainable growth – where innovation with personal data is not just compatible, but increasing supports and enhances the individuals empowerment and control.
The 5 shifts- themes which emerged suggesting change of mindset.
These are shifts that are happening, and that need to continue and /or accelerate.
I’m going to talk about 3 of these shifts this morning
First shift is the shift from compliance to sustainable customer relationships.
The report highlighted how traditional thinking about data from a legal and compliance perspective has left us in a deadlock.
When CEOs hand issues of data protection to GCs, the natural reaction is to look for the least disruptive solution to the status quo. The result is that companoes apperar to DPAs like they are paying lip service to the issue. Hence, why we have a situation where little tangible progress often appears to be made.
But we have seen a change. This conference and others like it are important signals of that change.
Eevry business s a digital business, and recognises the value of data as an asset for growth and transformation.
This necessitates a different attitude in companies – find a different locus for the thinking about these issues (CDO?)
Regulation needs to recognize how to encourage this shift – not through prescription
To give some examples of how this manifests itself at FB, I want to talk a bit about Ad preferences.
In a simpler sense, we are treat the controls we give to our users. We do this because we need to create confidence – it’s a business / trust issue more than a compliance issue
Likewise, our PbD process was developed within our Marketing Function, and is now run by a dedicated programmes team
I don’t want to suggest that everything is perfcect at FB – its not and we have work to dfo, but there are some aspects of the programme which I believe are world class and PbD is one of them.
The key ingredient is that the locus of responsibility has already shifted away from legal and compliance
The second shift I want to highlight relates to the way regulators regulate.
Regulation. We need to encourage truly “smart” regulation, which in turn encourages innovation - by being flexible and responsive to new technologies.
There is a lot of interest and debate happening right now about how tej GDPR is going to force DPAs to think differently about how tjey regulate.
Not only have their responsibilities have expanded hugely, lets just reflecdt upon the sclae of the task before them.
Data is everywhere. Every business – from the mega corporation to the local plumber is processing data.
DPA have become the de facto regulators of the entire digital econom, which necessarily depends on data flows.
So, arguably, there has never existed a regulatory framework of such scale in terms of how many people it relates to, and the expectations on DPAs for how they are going to ensure the success of this framework.
This is a massive challenge. And, just like the title of our report, it will require a paradigm shift in the way Regulators regulate.
Our report identifies the need for Smart Regulation. I could spend a lot of time talking about Smart Regulation, but I think one of the central elements of Smart Regulation is that Regulators utilise forces, motives and incentives that exist or are emerging to achieve their ends.
I’m going to talk about a couple of critical factors here that should shape they way Smart Regulators regulate.
A key insight - Individual choice and self-determination must be at the centre of the debate about how to regulate data.
personal data is valuable to companies. personal data is increasingly valuable to society. But personal data – my personal data - is of most value to me.
The key point is this - individual agency is becoming a powerful ingredient in unlocking value and building trust with innovative new services.
Over the last 15 years, technology has enabled people to do things they couldn’t previously do. Now, for the first time in human history, anyone can access these tools and use data to manage their lives.
We have a choice about how we respond to this change.
This is too important a factor for Regulators to ignore. Active engaged consumers are now playing an active role in the economy. They are forcing changes in the market, and the market is reacting and responding.
End-to-end encryption on WA. Browsers – Apple, MSFT, Mozilla The growth of the privacy industrial complex – THIS IS ABOUT RESTRICTING AND CONSTRAINING DATA
But there is a development that is far more exciting than the privacy industrial complex.
We have been working with many startups and enterpreneurs around the world who have recognised that the empowered consumer presents an opportunity to serve them in ways that opens up value from personal data in enitely new ways, but where the central proposition is piuting peple in control.
Sheryl came to Paris a few weeks ago to announce our partnership at Station F.
Station F is Europe’s and World’s biggest start up hub. It will host over a 1000 start ups. Founded by Xavier Neil, one of Frances most successful enterpreneurs.
FB taking it first physical space.
What is unique is our focus on personal data driven startups and focus on helping these emerging business models develop and succeed
Our programee is desgined aroudn their needs.
The third shift I want to talk about is the shift from good intention to good outcomes.
We need solutions that work.
One of the biggest failures of DP legislation is that no one feels any better or safer as a result
The second initiative addresses the second step identified in the report – to build TTC.
The problem – lawyers ands regulators trying to build UX.
,We use a completely different set of skills to solve human interacvtion issues. Think of how we design cars.
We need to draw upon these skills and bring them to the way people interact with their data.
The event in Berlin in March is a pilot.
Our ambition is to grow the concept as an independent initative that can scale – and can provide solutions and insights at scale for the benefit of the entire industry.
Stephen Deadman, Global Deputy Chief Privacy Officer, Facebook - CDO Europe 2017 (gdpr)
Global Deputy Chief Privacy Officer
Enhancing Privacy Through New Business
Models to Unlock the Social and Economic Value
of Personal Data
set context and
questions for debate
themes emerging from
from all 21 roundtables
A New Paradigm for Personal Data:
Five Shifts to Drive Trust and Growth
From compliance to sustainable
• A dedicated mentor at
• One-on-one office hours
• Weekly workshops
• Facebook will not be taking
equity in the startups
• Facebook is not providing
the startups with any
special access to
An incubator with a
• 80 desks
• 15 startups
• 6 months
• Multi-million Euro
commitment over 3 years
facilities to support