Data privacy – where are we now?

The data economy is driving behavioural change, and GDPR is only the beginning. Where do you stand?

As the General Data Protection Regulation (GDPR) takes full effect and Facebook settles another $365million lawsuit, we might begin to ask ourselves whether the issue of data privacy is finally being addressed.

Not a chance.

For years, the billions of Google and Facebook users have been giving tech giants the most valuable element of their business – an endless stream of consumer data. But how many of these users were aware of what they were giving away? Data scandals often derive from a mindset that presumes innovation and development can only work from consumer data that is collected and used surreptitiously, rather than through a transparent and honest data-exchange method.

The introduction of GDPR has established two new paradigms: firstly, companies no longer “own” the data of their customers or consumers, rather those customers and consumers themselves do; secondly, people understand now, more than ever, the value and power of their personal data. So companies need to respect that this data comes from real people and involves or affects the lives of those people.

Data is still regarded as one of the most important sources of insight, innovation and competitive advantage, but alarms from the Cambridge Analytica data harvesting scandal, alongside the widespread introduction of GDPR, have forced organisations big and small, across industries, to ask the question: how are we looking after the data that has been entrusted to us? For the first time, organisations need to have clear protocols to ensure they take care of consumer data. But there’s still a long way to go.

For such a valued asset, protection is lax. Our recent research shows that data is being shared freely within organisations, with little or no regulation – and even more worryingly, it’s being shared far too freely with external third parties. This highlights a need for better understanding of the increased responsibilities associated with the curation of data.

We also found that the majority of global leaders believe that once data is collected, it is then owned by the company that collected it – even though GDPR clearly states that the data subject (the consumer) owns their data. It’s clear that business leaders put a high commercial value on consumer data but place less emphasis on ensuring its security.

The research and insight industry, worth over $6.6billion in the UK alone in 2017, has a long and successful track record in self-regulation. Most insight companies are (voluntarily) members of trade associations that insist they sign up to a set of ethical codes. But our study found these research and insight professionals are often not the caretakers of the data their companies hold. In fact, this sizeable responsibility is often handed over to the IT teams, who do not have a comparable appreciation of the importance of holding this information in trust. And the majority of leaders also believe that these individuals, the heads of IT, have complete responsibility for the budgets for their company data systems.

This raises concern about the extent to which the people responsible for the data are aware of, and responsible for, the ethical data obligations. If they’re not on the insights or marketing teams, are they even aware of these obligations in the first place? And so, are companies then able to fully protect their consumers? There is also the question of whether companies are able to get the most value from their data if it’s being held by teams that do not fully understand how data can, and should, be used to drive business decisions.

There are still fundamental gaps around data protection, a disconnect between leaders and industries, and if we don’t impose a robust level of education we will see history repeat itself.

The organisation of which I am director general, ESOMAR, is the global community for insights professionals. It was founded 70 years ago with an unwavering commitment to ensuring research and data collection does not harm individuals or negatively impact them. Our self-regulatory track record was commended as best in practice in the EU, and we worked hard with Brussels in the development of the GDPR legislation. But that was just the start. The insight industry is now working harder than ever to ensure that the GDPR remains the facilitator of good and innovative business practices that it was designed to be.

For more, visit

By Finn Raben, Director General of ESOMAR 




Get our latest features in your inbox

Join our community of business leaders