Ctrl-Shift is a specialist business consultancy helping organisations to grow and innovate in the digital economy by developing and future-proofing digital products and services which empower customers through greater control of their data. Based in London, their list of clients includes the BBC, British Telecom, Facebook and Intel.
I spoke with the CEO and co-founder of Ctrl-Shift, Liz Brandt, whose career spans over 20 years of business consultancy across numerous sectors.
We talked about the importance of consumer trust in the data economy, deriving value from Data and GDPR for a post-Brexit UK.
Liz spoke on the panel at day two of the summit, during the session ‘Interfaces with privacy – user trust and user control’.
So Liz, tell me about the work of Ctrl-Shift and what brings you to Data Summit 2017?
What we focus on at Ctrl-Shift are the relationships that drive technology. Tech is at the point of interaction between individuals, yet it hasn’t been intuitive; it’s not always straightforward – yet it’s ultimately about relationships.
I set up Ctrl-Shift eight years ago outside of the corporate world. Consumer uptake of smart devices has grown exponentially since then and thus so has the amount of data, specifically personal data. Therefore, trust becomes a key factor for any kind of business within this context – these are ‘sharing’ relationships.
At Ctrl-Shift, we help companies create customer value opportunities through technology. We help businesses to build new, permissioned, personalised digital services which empower customers through greater control of their data. We believe helping companies make a successful transition to the digital economy through better data management requires a more ‘conversational’ style.
For example, take the BBC – a large, national broadcasting organisation must look at how they govern data and align their digital policies accordingly. This type of fundamental change must be overseen at executive level – so, reputation is very much on the line. All of these areas feed into GDPR- and that’s why we’re at the Data Summit. We’ve been working with three organisations on GDPR on a transformation programme. We’re looking at how GDPR can foster growth – if you can create data from value, then you create more trust. But, strong governance is needed here.
You say that most UK companies are unprepared for GDPR; is this current situation potentially disastrous unattended to?
With the onset of GDPR next year – a different, new data relationship is required. Better relationships within this context will inherently create value. The question is how do you create a market that enables economic growth of a business, that supports society and gives people value within this new regulatory context? How do you create value to the business, the individual, society? How do you design that?
Outcomes are important.
There is a potential downside that may occur as we approach the GDPR deadline– companies may be inclined to give away data, similar to dumping toxic waste, to have less data to manage and take care off before preparation for the onset of GDPR. But if companies begin selling data off this way, it will be a race to the bottom. This is lazy business practice and it creates problems. The original concept of value in business focused on people – people create value for shareholders – this is conventional thinking.
The GDPR is a much more robust data system and these methods will soon be redundant. So, by creating inherent value with data, people will start to move towards new business models. This is how a change in the market will occur, pushing organisations towards better business solutions. Insurance companies are currently looking at trusted digital services, as are banks and telecoms companies. I’d be surprised if the Irish Data Protection Commissioner and the UK’s equivalent, the Information Commissioner’s Office (ICO) came out swinging against companies already invested in the process of short term solutions before GDPR. Markets thrive on strong legislation, but also fairness.
Should companies be solely leading the way when it comes to managing vast swathes of data before the onset of GDPR?
We, as individual people, should be empowered to allow our data to be used – it’s our choice. Data management should be personalised to be controlled at the levels of individual users – there should be different ‘filters’ available for users, in terms of how much data they allow to be accessed by third parties. We give Google, Mozilla this power and then we don’t hold them to proper account. We’ll get it wrong but… but we’ll get it right. It will inevitably be a trial and error process. The best analogy for this situation is development of the first vehicles to market and the development of brakes.
When cars were first introduced in the late 1800s, they didn’t have brakes – thus, cars were incredibly dangerous pieces of technology. There were new laws developed as a response, the red flag laws, involving red flags being used to alert bystanders to the fast-approaching primitive vehicles. So, while legislation was in place as a response to this new technology, it was ultimately a new technological breakthrough which ultimately regulated the market – the development of brakes for these cars.
It was a permissiveness which allowed these brakes to be created. Sometimes in a permissive environment, people find solutions. This is one of the earliest examples of ‘new value services’. This is when the conditions of the market or wider society force people to ‘create value’. This occurred with the creation of brakes. Following the implementation of the regulatory framework of GDPR, the same development can happen.
Are we going to see companies scrambling to complete DPIAs? (Data Protection Impact Assessment – a risk assessment of proposed processing of personal data)
Yes – and it will be messy.
This will be lucrative for organisations offering services and consultations for DPIAs. People do still have time, but by the end of the year, we’ll see a scramble. Managing all of this data is a big management issue and a big governance issue.
If you’re behind the curve, you’ve lost the opportunity. It’s a bigger risk commercially if you’re late. This is all a result of the past behaviour of businesses. Business have typically taken data first, then worked out its value later, then selected the data they want. For small businesses also, preparation for GDPR will be a big challenge. There’s a greater likelihood that they won’t be ready; data will be compromised.
Even now, less robust companies are setting out to misuse data in the face of the oncoming regulatory framework – in this way, there is also the distinct risk that people will lose trust in the digital economy as a result. The UK’s data authority, the ICO, is completely overwhelmed. There is also the danger of a lot of inaccurate information at present, being widely available in the marketplace for businesses. Data Protection Authorities must be very clear in their GDPR guidance.
How should the UK approach GDPR and the Digital Economy, post-Brexit?
The UK has been at the forefront of this digital market. The worry is that other countries will come marching in and exploit this uncertainty period for the UK. foresee that the UK’s data legislation will be very close with the EU’s, even following the UK’s departure.
Will we end up drifting across the Atlantic or stay with the channel?
I think that the UK will carve out its own views, but mostly its cultural perspective is what is rudimental to the overall UK stance. And that cultural perspective is fundamentally more aligned with Europe. UK consent laws come from a permissive environment. I believe that it should go in that direction also. That way is more valuable commercially, socially. It brings value to economies and societies.