Breaking down the White House big data and privacy report
FORTUNE — Ten years ago, many large companies knew next to nothing about their customers. At Burger King, for example, “You’d hand over your $2, you’d get your Whopper, and that was it,” Kirk Nahra, a partner with Wiley Rein, says.
What a difference a decade makes. With today’s loyalty programs and social networks — to name just two examples — “There are a million ways they can collect data now,” Nahra said.
And collect they do, sometimes with completely unforeseen consequences. Invasive, pervasive, sometimes abrasive — welcome to a world where businesses believe there to be value in “big data.” Though the field is nascent — many businesses don’t yet understand what data they have available to them, and even if they do, they may lack the resources to run sophisticated analytics on them — it gained high-profile attention earlier this month when the Obama administration released its Big Data and Privacy Working Group Review.
“The big data revolution presents incredible opportunities in virtually every sector of the economy and every corner of society,” wrote John Podesta, counselor to the president, in his introduction to the report. “But big data raises serious questions, too, about how we protect our privacy and other values in a world where data collection is increasingly ubiquitous and where analysis is conducted at speeds approaching real time.”
Ninety percent of the data in the world today was created in the past two years, according to the Electronic Privacy Information Center. Google alone holds more than a million petabytes of data, and it processes more than 24 petabytes of data each day — that’s thousands of times the quantity of all printed material in the U.S. Library of Congress. In 2020, the amount of digital data produced will exceed 40 zettabytes, which is the equivalent of 5,200 gigabytes for every man, woman and child on Earth.
The problem is that each one of those bytes has the potential to lead a company into trouble. “A lot of times the data collection is going on without management or the company’s lawyers knowing about it, and without being thought about,” Nahra explained. “There are risks in several different categories.”
The government’s report is largely a series of recommendations. Still, “it should be a wake-up call for businesses,” Nahra said. “The whole idea of what you do with data is becoming a more and more important part of every business.”
Is the administration in line with the business community? Fortune asked a few experts to compare notes with the White House.
1. Be discriminating
The report cautions against big data’s discriminatory potential, but experts said that when it comes to collecting that data in the first place, a little discrimination is a good thing.
“Don’t just collect it because you can,” Nahra advised. Instead, be deliberate and ask why you’re collecting it — make sure it serves a particular need.
“Big data is sort of fundamentally opposite to that,” he noted, whereby the urge is to “collect everything you can and then figure out what to do with it.” That may not be illegal now, but it is risky, he said.
Many companies will need to get a better understanding of their data and how it’s collected, added Mark Schreiber, a litigation partner with Edwards Wildman Palmer as well as chair of the firm’s Privacy and Data Protection Steering Committee and chair for Privacy Matters at the World Law Group.
“Some will require new tools that allow them to appreciate the data flow, where the data resides, how it is stored, for how long, how it is applied and the means of protection at rest and at each point of transmission,” Schreiber said. “This will mean more sophisticated data audit and inventory tools and enhanced roles for a variety of consultant firms and cybersecurity assessors.”
It’s a good idea to compile a set of documented ethical guidelines for analytics professionals, Max Simkoff, cofounder and CEO of workforce science software company Evolv, said. Partnerships with third parties such as academic institutions, meanwhile, can help provide independent confirmation of the conclusions they draw, he added.
2. Be transparent
Be open and honest with consumers about the data you collect and what you do with it, including how it’s being kept secure, the White House cautions.
“There are lots of organizations not doing that,” Simkoff said. “If you’re using the right kinds of sources of data in the right way and being smart about it, you should have no problem being transparent.”
In fact, much the way there is a “Passenger Bill of Rights” of sorts for air travelers, so retailers and other companies may need to come up with something similar regarding their data use, Christian Hagen, a partner with A.T. Kearney, said.
“Companies will be forced to build more trust,” Hagen explained. Amazon (AMZN) is one example of a company that has already done well at this; on the other end of the spectrum is Target (TGT), where a massive security breach led to the departure of both the CIO and CEO.
“In the next five years, we’re probably going to see a company — likely a retail company — go under as a result of a breach like we saw at Target,” Hagen predicted.
Companies must also be more proactive about advocating the benefits of data collection to their customers, said Khalid Khan, another partner with A.T. Kearney. “Businesses can’t just rely on customers seeing the benefits by themselves,” Khan said. “They need to be activists, as opposed to hoping momentum will work in their favor.”
3. Abide by the law(s)
“The advent of more powerful analytics, which can discern quite a bit from even small and disconnected pieces of data, raises the possibility that data gathered and held by third parties can be amalgamated and analyzed in ways that reveal even more information about individuals,” the report states. “What protections this material and the information derived from it merit is now a pressing question.”
There are already numerous legal precedents regarding the use of personal data, Simkoff noted, so “don’t be exploring conclusions or trying to do big data analysis queries in areas where there is legal precedent saying you shouldn’t.”
That’s also going to require taking an increasingly global perspective, A.T. Kearney’s Khan pointed out, as cases like the “right to be forgotten” issue now facing Google in Europe can affect any company online.
“In the past, a lot of companies in the digital space have relied more on where the data is stored and analyzed and less on where it was collected” to determine their legal responsibilities, he noted. “That’s changing.”
4. Put privacy front and center
“Whether an individual reasonably expects an act to be private has framed much of our thinking about what protections are deserved,” the report states.
Privacy choices, preferences and features should be recognized and embedded early in product development through what Schreiber calls “privacy by design,” a notion that “will become increasingly important and standardized,” he said.
“It’s all the more important now to bake privacy in from the start of design in customer-facing applications and processes,” agreed Jeff Spivey, international president of ISACA and vice president and strategy advisor with RiskIQ. That, in turn, “may cause enterprises to modify how they develop new processes and products.”
Toward that end, some companies may need to expand their technical chops by hiring new data experts, Simkoff said. At Evolv, for instance, “we have a large and growing team of both economists and econometricians as well as industrial organizational psychologists,” he said.
5. Watch for opportunities
The report insists that businesses recognize that the changing climate will bring with it not just a fresh set of challenges but also new opportunities. Experts agreed.
“Since there’s so much intrinsic value assigned to individual data creation and concern around privacy, I could envision companies emerging that start to provide consumers with software products or services that allow them to take more control over the data being collected about them,” A.T. Kearney’s Khan said — companies that find a way to monetize growing concerns about privacy and data protection, in other words.
Indeed, “privacy along with big data will become a business in itself, with an increasing number of privacy and data protection jobs in corporations, government, healthcare, and education,” Schreiber said. “Privacy training in companies – which is rarely done other than where required, such as in industries like healthcare or financial services – will become routine and commonplace.”
Such changes “will encourage private equity and other investment strategies aimed at anticipating those opportunities,” he added. “As the market for this matures, funds will be developed for these targets.”
In the public sector, there could also be opportunities for companies to provide extra products and services aligned with the broader government policy platforms that emerge, Khan suggested.
Finally, since the White House report offers recommendations for possible future policy, it behooves businesses to monitor that activity, Spivey said. “Organizations can, should, and likely will have an interest in making sure that their interests are represented in future policy efforts,” he said. “Now is the time to take notice and start preparing.”
More big data coverage from Fortune: