Doing business with data 'key masters'

Many believe that the next big advancements in medicine will come from understanding and manipulating large amounts of health data – from precision medicine supported by AI to big data analytics which may help in finding new treatments to incurable diseases.

The exciting prospect is also a conundrum however, as the data in question is often of a special category, surrounded with protections and restrictions that currently prevent the research community accessing or using it to anything like an optimum level.

Personal data that attracts a form of proprietary title has been long been a topic of debate in commercial matters – between phone users and telecoms companies, for example. Here, contracts often clarify and define which party has rights or restrictions (sometimes expressed as ownership rights) over the use of data. In other words, the parties would agree on what the ownership stake in the data looked like.

The growing importance of bringing the individual data subject (eg a patient or employee) into the equation has recently gained prominence through tough laws like GDPR. The GDPR does not only define what "health data" is in more detail than before, it also defines "genetic" and "biometric" data. On the other hand, the GDPR aims to further scientific research purposes and places an emphasis on the creation of bio banks and other registers which may help in finding solutions to yet incurable diseases.

Given the strength and coverage of GDPR legislation, it is hitting home with businesses, governments and other institutions that the data subject will always have an ultimate master key, no matter how many locks commercial parties apply to the data and its use.

With the 'key master' gaining more power, taking steps to unlock data usage by other means creates nasty regulatory and governance risks. The question of trading data is also complicated by consent requirements and the un-waivable rights of the data subject to later change their mind and withdraw permission, or to claim no permission existed for a purpose that was not envisaged at the time the permission was given.

Can companies really prepare for such a landscape?

There are specific guidelines from regulators on how information and consent declarations need to look in this context, especially for research. But convincing data subjects that there is a 'trade' to be done which offers a value exchange (more than simply a value proposition) is essential. It needs trust from a data subject. And regulators are better equipped than ever to investigate and decide whether the value formula is genuine or nothing more than a house of cards.

What's needed to 'transact' in this environment is a living, breathing culture of sound data ethics. The winners in the commercialisation of data will be organisations that have genuinely built a system of data value exchange based on trust and operations that are subject to sound data controls.

Those who believe they can't afford to make such an investment in data governance will be running unbearable risks.