Event Recording

Doc Searls - How Customers Will Lead Companies to GDPR Compliance and Beyond

Nearly all advice on GDPR compliance is about what companies can do for other companies, or companies can do for themselves. There isn't much on what customers can do for companies, which may turn out to be the biggest help of all. That’s because customers are going to get more power all the time, and that’s exactly what the GDPR was made to encourage, whether regulators knew that or not. Doc Searls has been on this case for over a decade, leading ProjectVRM, which encourages development of tools and services that empower customers. (And which won a KuppingerCole award in 2008.) Doc will talk about how the best of those new tools will open easy and low-cost paths to corporate compliance with both the GDPR and ePrivacy regulations, while opening new market frontiers as well.

It, I don't need it. No, you don't need it. Then just leave here. My monitor here. Okay then. So we're good, dangerous earth. So in technology, what can be done will be done. It's really invention that mother's necessity rather than the other way around. We didn't need a cell phone until it was there. And then suddenly we needed it. Right? Well, this is especially true for giant companies. They find themselves doing lots of things that they can do regardless of what the consequences might be. So let's take, for example, in 2011, this country Germany discovered to kind of notice that Google had been driving around, taking photographs with little cars of every single residence in the country, which had already been doing in the United States and Canada and the UK and France and other places. But this kind of offended the sensibility here for good reasons.
Our homes are private spaces. We didn't give permission for this. This offended a kind of sensibility that we had now. It doesn't matter what happened after that. I noticed today. I can't find anything on Erics. I guess the street view thing doesn't work here and that's fine. Here's the thing. We didn't have privacy worked out. Now. We had privacy worked out. We've had privacy worked out. It's not controversial in the natural world among us here. We have privacy technologies. We invented the technologies. First. We didn't come up with the laws. First. We came up with the technologies. First we started, we started peeling bears and we started making costs and we're all wearing privacy technologies. Privacy is a matter of selective disclosure and it's also a matter of norms and of customs and of many other ways of signaling to others. What's okay. And what's not okay.
So why didn't we have that? Why didn't we have that by 2011? Why do we not have it in our browsers? Even still very well, our browsers should be like our cars or our bicycles. Instead they're infected with every commercial website we go to with tracking beacons and cookies. And that's why we have the GDPR. The GDPR is a case of, you know what? We don't have the tech here. You guys don't seem to be walking around naked still it's 23 years into this thing, but we're gonna have to start forcing this on a real privacy on the 25th of this month, 10 days away from now, the world is going to change and it's gonna change because hopefully they'll start enforcing, but we don't have the tech. Why don't we have the tech? Well, there are two reasons. One is that it's only 23 years.
The internet that we know now really was born when the last of the backbones within it, that forbid a kind of activity. It was the NSF net in the us forbid commercial activity. And it was one of the backbones TCP pieces. Data could travel on any over any path. So as long as one of them said, no, we didn't have commercial activity. Once they went down, April 30th, 1995, eCommerce broke loose and we had a different world, but it's only 23 years. We've had 10,000, 20,000 years to work out privacy in the natural world. We have this new world. This world is a Virgin territory. It's still Eden. We haven't developed it yet. The other reason has to do with identity because what we did, what we've had for a long time ever since mainframes is what Devon Loreto, a, a teacher and an activist in the maker movement in the us called administrative identity.
It's important for organizations to have records, to have name spaces for all of us to keep track of their customers, to do KYC and all of that. At the same time, he said, we also have in the natural world self-sovereign identity. And he called it that he's the one who gave us self sovereign as a term. He gave that to us. And what does that mean? It means you are in charge. You have your own private space. You are anonymous by nature. Have you ever noticed, like, for example, so here's my name tag right here. So, so let's say some of us have done this. You, you leave a place like this and you go to the nearest bar or something like that. And you're sitting in there and the guy next who says, hi, bill or whatever. How do you know me? Well, you're wearing a thing, right?
We don't walk around the world with these. We walk around here with them because it's a convenience, but we don't use these in the everyday world. And we don't use it there because anonymity is a grace. Anonymity is the natural state of things, but it isn't doesn't mean we are meaningless. We are distinctive. We are designed by nature to all look different, to all sound different, to all behave differently, to have different souls, to people who come from the same sperm and egg twins can be radically different. As human beings, the actress, Laverne Cox in the us has a twin brother. They both came from the same egg. They're utterly different and distinctive as human beings. And that distinction is how we know each other apart. We, if we have a store, we know somebody about how they look, we haven't necessarily taken their name yet. And what blockchain is about what south sovereign identity is about is restoring in the digital world. What we've had forever in the, in the natural world.
So GDPR showed up in the absence of that. And the nice thing about the GDPR for me and for the companies that I work with is that the administrative systems of the world have said, holy shit, we gotta change everything now. And all of a sudden, the world is open to things like blockchain, which they never would've been, I think otherwise. So I wanna talk briefly about what we can do now, once we start getting self sovereign identity, once we are in charge of ourselves in the world, that we couldn't, when we're living only in an administratively defined world where we have to live inside Facebook and Google and apple and all of the other identity providers of the world. So let's go back to 2000 to 1995. That's when my wife Joyce, who's here somewhere and who's active in the, the sovereign foundation and actually spoke twice as much as I did at the last conference.
You were at a lot of what I get credit for comes from her. And from the weird questions she asks that are absolutely profound. So does one, she asked in 1995, it was shortly after her sister. One of her many sisters took a job as the controller for Netscape, which is then a brand new company. Netscape was kind of our family company. We wore the swag and all that. And she asked a profound question. She's looking at, at e-commerce going to all these different sites, Amazon and eBay being the big ones then still around now in a big way in Amazon's case and ask this profound question, why can't I take my shopping cart from one site to another? Why should I be stuck inside all these different silos? Why can't I have a wallet? That's my own? Why should I have a Google wallet and apple wallet and a Facebook wallet and some other kinds of wallets that all belong to them. And not to me that are all suction cups on the tentacles of what Google got call called by people here in Germany, a Dahan CLA a data octopus or a data monster. Why do I have to live inside one of those things?
And another one that's that was asked 12 years ago when we started project VRM, which is, which is given a kindly given an award by KuppingerCole in exactly 10 years ago here for the work we started. And the paradigmatic question we asked, the one that, that we still haven't seen in the world, because there's still living in administrative bill was how can I, if I change my last name, or if I change my address, or I change my email address, or some other thing like that, why can't I know why can't I notify everybody in one move? I don't wanna have to go like a B from flower to flower, to flower, to flower changing all of those different things. I should be able to do it once. Just one time for all of them, you can't get there from the identity provider, relying party model.
You have to get there from a self sovereign model where you are in charge of who you are and how you relate to these companies. It's KYC going the other way. Know your companies, not that they just know you, and they can know you a lot better. If you are in charge, they don't have to guess at you. So I wanna give a couple of examples of, of the kinds of things we will start to see that have already been in the works for some number of years, mostly with small startups. One in the book that I wrote in 2012, which I thought I was late with, but turned out to be way ahead of its time, called the intention economy. When customers take charge, we called it their a personal RFP or a personal RFQ. And we're now calling this intent casting and intent casting is where you do the advertising, but you do it in an anonymous way to start.
I'm interested in this, or I'm interested in that. And I will selectively disclose just as I would walking down a street, whether or not I'm interested in something. And I will reveal my identity in a gradual way. I love Kim Cameron's laws that he came out with. He'll be up here next in 2004, user control and consent, gradual disclosure for constrained use justifiable parties. Those should be built into self sovereign identity and the way that we relate to the, to the companies of the world. If you go to the project VRM site, you'll get to a blog. If you click on Wiki there twice, it turns out the way it is today. You'll get to our Wiki where we have all of the developers already working on this. There are at least 20 companies working on intent casting already in the world. There are even more of those for controlling personal data.
Controlling personal data is exactly what the GDPR wants for what they call the data subject. We should be in charge of the data that we reveal in the world, how it's used, and we should be able to do it in either a, a, a through our own privacy policies and our own terms and conditions. Turning that thing around and keeping a record of that. Ideally on a blockchain, I can't think of another way to do it, but then again, I've got blockchain on the brain. There may be other ways to do it, but we need to be able to do that. And there are a lot. This goes by a lot of names, personal information management systems of data, vaults, data lockers, KuppingerCole called it life management platforms. And Martin mentioned this earlier. We are going to have these, we need to have these, or we will not. We haven't arrived yet at the world. It open in 1995. So I think 'em at 17 minutes or close enough. I don't know. So he leaves enough time for questions. I may be the first speaker where Martin didn't come up like a timer and stand at the end of the stage.
Exactly. Doc. Thank you very much.
Thank you.
You have been super fast, but also super informative as usual. And so thank you very much. And I think for our Q and a session, the one thing I'd like to do is I'd like to ask Huan Carlos Lopez of DXC technologies to come to the stage as well. He will be a speaker in tomorrow's GDPR track. And so you had GDPR in the title of your speech. So welcome Mr. Lopez, Raj. Hi. Hi. Hi. See it's
So I think we are 10 days away from GDPR becoming effective would be really interesting. What exactly will happen then? And I'd like to start with one question to you because my, my strong belief is that there, should we talk a lot about consent and right. To be forgotten and some other stuff, but I think there are some more things on GDPR, which are not as prominently discussed as they should be discussed. Maybe you could just raise some, three of the biggest challenges imposed by GDPR to foster our bike. There is some microphone over here.
Yeah, it works. Good question. In fact, there are a lot of things that are hidden in fact to the GDPR. And one of the consequences of, of the GDPR will be probably that somebody one day will ask me, Juan, do you know an expert on, on GDPR and say, yes, can I have the email? No. So this will be probably one of the consequences, but no, seriously. I think that, for example, the, the material scope of the GDPR is, is one of the big issues. Most of the organizations, I'm also a member of the E commission by the way. And most of the, of the organization didn't really understood the differences between article 27 and article 37, just for information, article 30 sevens, it's that you need to appoint a DPO data protection officer and article 27 that you have to appoint a representative. Now, the point is when you have to appoint a representative and it's mandatory for the non-EU based organization, and they need to appoint an U based representative because of the GDPR. And this is something that's not really always clear and the message don't come always. So
It's, you need to have as an non-EU company, you need to have a representative over here, but this is not a DPO you need also DPO.
Okay. And the second pick,
The second aspect that I will pick up here, it's for example, related to HR, when you are, when you're doing the, the, the recruiting process, you're hiring somebody, what happens with the rest of the CVS of, of the resumes that you are not hiring? So the, the person the candidates have to write to say, please delete my information, but in some cases, HR have the right or need to store this information for failures. So they need to be prepared on, on answer this questions, please delete my data. What has nothing to do with the right to be forgotten? That's something different.
And number
Three, and the third aspect, what is in my view, the first aspect is what I call personally, the it dilemma in terms that one of the hidden requirements, and this is a very big requirement. It's the data storage requirement of the GDPR. You will find no article inside the GDPR that talks about, but that's true. You need now more space. So on one side, it need to save money. So reduce TCO, but on the other side to be conform and compliant, my very personal suggestion is to create a GDPR board with experts and try then to focus on the identification and categorization of, of the information that you have,
Doc, what is from your perspective, the, the, the hidden thing and the GDPR people are not aware ever enough
Of. Well, to me, the, the point of view that I take is entirely that, of what the GDPR calls, the data subject, you and me, what the GDPR attempts to do is, and I think it will do successfully is, is put up a bunch of protections for individuals. But I think we are going to have a lot of permission to take action on our own. So for example, as part of the work that I do and our, my colleagues do, we're gonna do our best over the next 10 days to have everybody in the world, turn off all third party cookies on whatever browser they're on at customer commons, our, our nonprofit, we have already instructions on how to do that on five browsers, all of them have that as an option, but we really wanna make a movement out of this because frankly, we want to cut the head off the entire ad tech business. The tech business is based on spying on us. It is dot and con it is bad and it needs to be killed. And, and it's a ser, I think the GDPR gives us a way to start killing a serpent in the world and replacing it with something much better, which is more ways for us as customers, to signal companies, what we're looking for and what our terms are and our conditions and starts civilizing the net for the first time. Okay.
Let's have a quick look at the questions. If there are any, no, no
I think I want to bring up one point from my perspective. I think one thing, what you say is important, the data abstract right now has the right to raise complaints directly to the DPA. And that means the DPA needs to get active. It's different to all the regulations we had before. The other thing is, I think it's very interesting to look at the process between warning and fine. So if you look at a standard process, the fine is not the final step. The final step is the finest, the final step, but probably the big step before is that you, you need to potentially interrupt your service, which can be far more harmful than the finance itself. If you look at some of the things that the us published around it, it's a very interesting thing that a could bring in even more harmful things ahead of the fines. And so I think it's very good to look very careful at what GDPR brings. There are so many interesting things in, we didn't get all done.
Well, I have a question for you and for the audience, short question, short question
Is the
EU gonna come down on Google and Facebook on the 25th and how hard
Wait and see, I don't want to predict, but I think they will go for the big ones. What is your point?
Well, I don't think it will be just limited to Google and, and, and, and to, and to Facebook, it is a regulation and, and we are in Germany in Germany is the first nation U white that has transformed the regulation and low. So nobody knows what will happen. In fact, there have been a lot of what I personally say, call GDPR terrorism. In that sense, you mentioned the fines, for example, this is really the extra measure. Yeah. And the last resort, it will not be the first we have warnings, we will emit advisors and it'll
Be about education first.
Educational. Okay. So thank you very much for running out of time. Thank you doc, for your keynotes. Thank you for coming up to the stage. And as an expert, see you tomorrow in your session.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

You Can Only Protect and Govern the Data You Know About

Data is widely recognized as the lifeblood of the modern enterprise. However, the exponential rate at which it is being generated means that it is crucial that organizations have the capability to manage it effectively to ensure its confidentiality, integrity, and availability. These…

Webinar Recording

What Does the Future Hold for Passwordless Authentication and Zero Trust?

Enterprises of all types face a growing number of cyber threats today. Studies show that most data breaches begin with compromised passwords. Moreover, password management is expensive and not user-friendly. Enterprise workforce users are driving the consumerization of IT. They want the…

Webinar Recording

Complying With PSD2: Everything You Need to Know

With the Revised Payment Service Directive (PSD2) coming into full effect this fall, banks and online retailers need to adapt to changes that carry with them many regulatory and technical challenges. Acknowledging these extensive changes, Germany’s Federal Financial Supervisory…

Webinar Recording

Leverage Enterprise Architecture to Achieve GDPR Compliance

Several measures have been undertaken by Organizations at various levels to comply with GDPR, most of which remain reactive, fragmented and largely ad-hoc. These controls are also not continuous in nature and therefore fail to satisfy ongoing compliance requirements. Organizational leaders…

Webinar Recording

The Foundation for GDPR Compliance and PI/PII Protection: Understand Where Data Resides and Who Processes It

The EU GDPR requires covered organizations to be able to account for and document how personal data is collected, processed and shared.  What many companies often fail to realize is that this data is not only stored in specialized and appropriately secured silos such as…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00