Presented at "GDPR Making it Real" hosted by DAMA UK and BCS DMSG. 12 June 2017

1. Digital Disruption and Consumer Trust
Resolving the Challenge of GDPR
Richard Veryard
GDPR Making it Real – DAMA UK and BCS DMSG – 12 June 2017

2. 2
The GDPR challenge
The trajectory of
innovation may
possibly diverge
from the
trajectory of
consumer
expectations,
thus opening up
a trust gap.
The Innovation
Curve
Consumer
Expectations
Trust Gap

3. 3
Four Types of Trust
Definition GDPR Consequences
Authority
Trust
Trust is based on a
central authority.
Data Protection standards
defined by GDPR and
enforced by Information
Commissioner.
Enforcement
Penalties
Commodity
Trust
Trust is based on a
negotiated
exchange.
Explicit consent. Consumer
gets something in return for
consent.
Compensation
Network
Trust
Trust is based on
the community.
Good practice enforced by
the internet.
Reputation
Damage
Relationship
Trust
Trust is based on
authentic
relationships
between people.
?? ??

4. 4
Who gives their real
email address to get
free coffee shop wifi?
Cycle of Mistrust
Date of birth:1st January 1970
Email address: rubbish@junk.com
Based on your data, we think you might
like to buy yet another book on Privacy.

5. 5
“When you look at systems like Facebook, all the hints
and nudges that the website gives you are towards
sharing your data so it can be sold to the advertisers.
They’re all towards making you feel that you’re in a
much safer and warmer place than you actually are.
Under those circumstances, it’s entirely understandable
that people end up sharing information in ways that
they later regret and which end up being exploited.
People learn over time, and you end up with a tussle
between Facebook and its users whereby Facebook
changes the privacy settings every few years to opt
everybody back into advertising, people protest, and
they opt out again.
This doesn’t seem to have any stable equilibrium.”
https://www.edge.org/conversation/ross_anderson-the-threat
Cycle of False Trust
Ross Anderson
May 2017

6. 6
Different Types of Consumer
• Digital Literacy
• Facebook
Smartphone
Generation
The Innovation
Curve
Consumer
Expectations
Trust Gap

7. 7
Different Types of Innovation
Data
Big Data
TotalData™
Consumer
Expectations
Trust Gap
The Innovation
Curve

8. 8
Digital Marketing Hype Curve 2015
How many of these are
affected by GDPR?
It’s not a cycle

9. 9
Innovation  Digital Disruption
Personalization
Positive
experience
helpful,
anticipating
Negative
experience
intrusive,
stalking
Automation
Positive
experience
frictionless,
instant
access
Negative
experience
inflexible,
soulless
Big Data
Positive
experience
Filter
Bubble
Negative
experience
Filter
bubble

10. 10
Some technological
innovations may threaten
privacy
• Facial Recognition
• Customer Instore Tracking
• Employee Location Tracking
Some technological
innovations may enhance
privacy
• Encryption
• Tokenization
• Pseudonymization
Technological Change

11. 11
The Choice
Maximum Engagement
• Create a trustworthy
data protection
environment.
• Actively seek data
subject participation
and consent.
• Gain competitive
advantage from
customer centricity
and trust.
Minimum Viable
Compliance
• Add essential
measures and
procedures (e.g.
encryption, consent).
• Fix systems and
processes to achieve
GDPR compliance
with minimum change
to business as usual.
Minimum Engagement
• Store and use as little
personal information
as possible.
• Delete most personal
information.
• Use verified secure
third parties for
essential transactions
(e.g. payments).
• Forsake customer
insight and
personalization.
Trust
Customer
Centricity
Data Frugality
Data
Avoidance

12. 12
Awareness
(hopefully)
Clear and
costed plan of
work
+
Allocated
Resources
+
Decisions
GDPR
Compliance
+
Business as
usual
(hopefully)
Simple Story – Two Milestones

13. 13
GDPR Work Packages
Data Discovery
•Identify all business processes, systems,
applications, data stores and other
places where personal data are
collected, stored, transmitted and used.
Risk Assessment
•Identify business and technology threats.
Evaluate high-impact threats.
•Assess the adequacy of existing security
and governance mechanisms to protect
against these threats.
Policy Assessment and
Alignment
•Review existing policies against GDPR
requirements
•Review policy adherence and
enforcement
•Identify and implement policy and
governance changes
Customer-Centric View
•Survey customer view of data protection.
•Identify any trust issues from the
customer perspective.
•Understand the factors that will lead to
customers granting or withholding
consent.
Technology Review
•Identify any new / recent technologies
that raise privacy concerns.
•Identify and evaluate relevant privacy
enhancement technologies.
•Select, adopt and configure privacy
enhancement technologies as
appropriate.
Privacy by Design
•Establish architectural principles and
structures to promote privacy
•Establish privacy impact assessments for
new solutions and technologies
Consent Engineering
•Build and implement standard modules
for consumer consent
•Establish business processes and
practices for consent and
withdrawal/erasure.
Privacy Engineering
•Establish robust systems and processes
for data encryption, tokenization,
detokenization and pseudonymization
•Establish secure mechanisms to prevent.
detect and repair any breaches
Governance
•Determine responsibilities for data
protection, including Data Protection
Officers.
•Align existing governance structure and
processes with the requirements of
GDPR, and/or establish additional
structure and processes.

14. 14
I’m going to look at
these two in particular

15. 15
Step 2 – Discovery
Triage Easy and obvious first? Hmm
Challenging first Risk-based approach
What to
look at
Business processes Important, because we need to know
why/where personal data is used
Business policies Data sharing agreements
Application / data Is there an application catalogue? Data
dictionary? Master data management?
How Interviews with system owners … if you can find them
Documentation … if there is any
System / Data Inspection Search for recognizable data – e.g.
postcodes, dates of birth, card numbers

16. 16
In the traditional “traffic
light” schema, AMBER
is usually a fudge.
For senior management,
white is (or should be)
more worrying than red.
Aside – the Italian Flag schema
GREEN
OK, more or less under
control, no major issues
RED
One or more known
problems
WHITE
We don’t have a xxxing
clue

17. 17
Touchpoints Data Types Business Context
Point-of-Sale Transaction
Email
Website Visit
App
Social Media
User-generated content
Paper
Phone
Visit
Name and address, postcode, email
address, phone number
Personal characteristics
Age, Ethnicity, Religion, Social Class,
Employment History, Education Level,
Marital Status, Sexual History, Health
History, Credit History, Travel History, …
Password Recovery Data
Mother’s maiden name
Name of pet
First school
Possessions
Car Registration Number, MAC address
Physical appearance and characteristics
(including images for face recognition)
Account Numbers
Bank, Credit Card, etc.
Internet
Social media handles and history
Cookies
IP Address
Direct Marketing (Targeting &
Personalization)
Credit / Fraud Screening
Pre-Sale
Sale
After-Sale
Customer Service
Data Discovery – Customer
Which applications
manage and monitor
these touchpoints?
How can we discover
this information in
informal systems as well
as formal applications?
Which business
capabilities are likely
to be using personal
information?
Which applications
(including reports and
analytics) support
these capabilities?

18. 18
Touchpoints Data Types Business Context
System log
Workflow
Customer service
Intranet
Public internet
?
Name and address, postcode, email
address, phone number
Equipment issued to employee
Computer, phone, car, etc.
Personal details
Marital status, health history,
Bank account, pension fund,
Any business transaction that requires
authorization or approval
Purchase Order, Goods Received,
Payments, …
Any business activity with a potential for
employee malfeasance
Stock Movement, Customer
Refund, …
Work planning and monitoring,
productivity
Individual/team performance analysis,
career management, training history,
promotion prospects, …
Which applications
manage and monitor
these touchpoints?
Data Discovery – Employee
How can we discover
this information in
informal systems as well
as formal applications?
Which business
capabilities are likely
to be using personal
information?
Which applications
(including reports and
analytics) support
these capabilities?
Typically
• A few obvious systems and processes with
large amounts of employee data
• Many systems and processes with small
amounts of employee data

19. 19
Customer
Employee
Third Party
BRM GDPR Heat-map example

20. 20
Step 7 – Consent Engineering
Characteristics
 Non-reversible procedure
 Early sample trial
recommended
 Ambiguous identity
 Omnichannel
Current Status
CONSENT
GDPR Compliant Status
CONSENT
Current Status
NON-CONSENT
GDPR Compliant Status
NON-CONSENT
Procedure
RECONSENT
Metric
CONSENT PERCENT
E.g. opt-out bundled consent based
on unclear privacy policy
E.g. opt-in granular consent based
on clear privacy policy

21. 21
Step 13 – Business as Usual?
Programmatic Advertising  DSP
Contextual Advertising
Machine-learning  Organizational
Intelligence
Humanizing Digital
Transparency
• To what extent is your
business-as-usual even
possible?
• How must you change the
way you do business?
• How must you change the
way you were planning to
do business in the future?

22. Richard Veryard is a consultant with Retail Reply,
specializing in enterprise information architecture for the
retail and consumer sector. He has written and presented
widely on such topics as business architecture, service-
oriented architecture, information management, and
organizational intelligence.
@richardveryard
Retail Reply are specialist retail consultants who help our
clients respond to digital transformation through customer
centric solutions.
http://www.reply.com/retail-reply/en/
retail@reply.com
+44 20 7730 6000
@retail_reply

23. 23
References and Further Reading
https://ico.org.uk/media/for-organisations/documents/1624219/
preparing-for-the-gdpr-12-steps.pdf