There probably won’t be a TLC reality show about it anytime soon, but the concept of “data hoarding” is real, and it’s about to be declared illegal in South Africa, according to an article last week by ITWeb SA. The story concerns the imminent implementation of the Protection of Personal Information (POPI) Act, which stipulates that “data may only be processed for as long as there are clear and defined business purposes to do so” (italics mine).
If you haven’t heard the term before, “data hoarding” is, according to Michiel Jonker, director of IT advisory at Grant Thornton:
“The gathering of data without a clear business reason or security strategy to protect the underlying information.”
Implication #1: data hoarding legislation could spread to other countries
This is big news for organizations doing business in South Africa, as well as data-watchers outside the country: marketers, data scientists, strategists and anyone whose business depends on collecting, processing, using and storing data.
This means you.
Says Jonker, “we are all data hoarders. Data is hoarded in eletronic and non-electronic formats and, with the emergence of the Internet of Things, machines are also creating data. People also have a tendency to multiply data by sharing it, processing it and storing it.” “The problem with data hoarding,” he says, “is it attracts ‘flies.’ As data is being referred to as the new currency, big data also attracts criminals.”
I asked Judy Selby, Partner, Baker Hostetler and an expert in data privacy law, whether legislation such as POPI could ever be adopted in the United States. She believes that it could. “Some of our privacy laws have criminal penalties, so it’s not unheard of. In the context of data hoarding, especially involving a data broker, I suspect if there’s a big privacy or security incident associated with the data, some of the more active states in this space (such as California, for example) might make a move in that direction.”
Implication #2: Data hoarding legislation and risk avoidance put pressure on data strategy
This piece of legislation gets at a particularly thorny issue for data scientists, ethicists, marketers—really anyone interested in balancing the twin imperatives of extracting insight and fostering trust. To extract the most useful insights, develop the most personalized services, run the most effective and efficient campaigns and organizations requires data—lots of it. It’s not always possible to anticipate what is needed, so the natural impulse is to store it until it comes in handy.
But to protect privacy, and reduce what Jonker refers to as a company’s “risk surface,” we actually need to collect as little data as is practically necessary, and only for uses that we can define today. POPI lays down the law for that decision in South Africa.
Implication #3: Organizations should address security and define use cases now
Organizations should look closely at the two main tenets of the POPI legislation–clear and defined business reasons, and security strategy—for leading indicators of issues that may crop up in other geographies.
Both tenets are challenging, partly because of the potential multitude of business cases for data, and because of the many and disparate data types available. While security strategy may be the most obvious (albeit challenging) first step, we would also recommend early thinking on future uses of big data, including IoT (sensor) data.
My colleague Jessica Groopman’s research report, entitled “Customer Experience in the Internet of Things,” published today, offers excellent examples of how organization are using IoT today, and how they may do so in the future. Reading this report is a terrific first step toward envisioning how such data might be used in the enterprise.
We’ll be watching this space closely for future developments, and suggest you do the same.