There probably won’t be a TLC reality show about it anytime soon, but the concept of “data hoarding” is real, and it’s about to be declared illegal in South Africa, according to an article last week by ITWeb SA. The story concerns the imminent implementation of the Protection of Personal Information (POPI) Act, which stipulates that “data may only be processed for as long as there are clear and defined business purposes to do so” (italics mine).
If you haven’t heard the term before, here's how “data hoarding” is defined, according to Michiel Jonker, director of IT advisory at Grant Thornton:
“The gathering of data without a clear business reason or security strategy to protect the underlying information.”
Implication #1: Data hoarding legislation could spread to other countries
This is big news for organizations doing business in South Africa, as well as data-watchers outside the country: marketers, data scientists, strategists and anyone whose business depends on collecting, processing, using and storing data.
This means you.
“We are all data hoarders. Data is hoarded in electronic and non-electronic formats and, with the emergence of the Internet of Things, machines are also creating data. People also have a tendency to multiply data by sharing it, processing it and storing it, says Jonker. “The problem with data hoarding,” he says, “is it attracts flies. As data is being referred to as the new currency, big data also attracts criminals.”
I asked Judy Selby, Partner, Baker Hostetler and an expert in data privacy law, whether legislation such as POPI could ever be adopted in the United States. She believes that it could. “Some of our privacy laws have criminal penalties, so it’s not unheard of," says Selby. "In the context of data hoarding, especially involving a data broker, I suspect if there’s a big privacy or security incident associated with the data, some of the more active states in this space (such as California, for example) might make a move in that direction.”
Implication #2: Data hoarding legislation and risk avoidance put pressure on data strategy
This piece of legislation gets at a particularly thorny issue for data scientists, ethicists, and marketers—really anyone interested in balancing the twin imperatives of extracting insight and fostering trust. To extract the most useful insights, develop the most personalized services, run the most effective and efficient campaigns and organizations requires data—lots of it. It’s not always possible to anticipate what is needed, so the natural impulse is to store it until it comes in handy.
But to protect privacy, and reduce what Jonker refers to as a company’s “risk surface,” we actually need to collect as little data as is practically necessary, and only for uses that we can define today. POPI lays down the law for that decision in South Africa.
Implication #3: Organizations should address security and define use cases now
Organizations should look closely at the two main tenets of the POPI legislation--clear and defined business reasons, and security strategy—for leading indicators of issues that may crop up in other geographies.
Both tenets are challenging, partly because of the potential multitude of business cases for data, and because of the many and disparate data types available. While security strategy may be the most obvious (albeit challenging) first step, we would also recommend early thinking on future uses of big data, including IoT (sensor) data.
My colleague Jessica Groopman’s research report, entitled “Customer Experience in the Internet of Things,” published today, offers excellent examples of how organization are using IoT today, and how they may do so in the future. Reading this report is a terrific first step toward envisioning how such data might be used in the enterprise.
We’ll be watching this space closely for future developments, and suggest you do the same.
A new law banning the collection of personal information in South Africa could influence legislation in other countries as well.
This year’s results have troubling implications for the technology industry.
A look at what we give up and gain when we allow our lives to be turned into sources for data.
This document is just a first step toward setting context for the many disruptions of ubiquitous and complex data, but it includes preliminary frameworks to help us examine these issues in more detail.
As part of our open research process, I would like to extend an invite for your input, feedback, case examples, or any other insights you’d like to contribute to our upcoming research around the Internet of Things.
How teens use social media and why it matters to you. Generation Z = (Today’s Teens, Preteens and Children)