Research Library
Monthly Research
& Market Commentary

The Unbearable Lightness of Data/ The Unbearable Heaviness of Data Protection

Why does Cristiano Ronaldo earn 100 times more than a neurosurgeon? Is it because his footballing skills are that many times harder to master than a neurosurgeon’s? Or that I get 100 times more happiness, wellbeing or value from him than I do from a neurosurgeon? No. It is primarily because one person (and their loved ones) get the value from a couple of hours of a neurosurgeon’s time, whereas a billion people can enjoy watching Ronaldo’s silky football skills during a game, and indeed they can continue to enjoy them many times over, forever. The Ronaldo experience is scalable; the neurosurgeon experience is not.

The Unbearable Lightness of Data/ The Unbearable Heaviness of Data Protection

Any business that boils down to information is potentially massively scalable and hence profitable.

This story essentially boils down to the lightness of data. Data can be created, stored and transmitted at very, very small cost compared to the value it can create. So any business that boils down to information is potentially massively scalable and hence profitable. That is why we see the surprising valuations of Airbnb vs. conventional hotel groups, etc. etc.

What is the rational response of any company to this? Clearly, it is to work out how they can ‘informationize’ their business model. Gather as much data as possible. Look for ways to monetize it, both to make their existing business profitable, and maybe to create new lines of business from the data. Regarding consumer/citizen data – the more the better.

On a philosophical note, I would suggest that this asymmetry between physical businesses and informational businesses is actually causing free market economics to break, or at least to creak at the seams. (That is why I borrowed the ‘unbearable lightness’ meme from Milan Kundera.)

But on a more practical and immediate note, the incentive has been for all of us to become data hoarders. We have acted as if all data is good data to keep, even if we are not quite sure how we will use it. The only slight incentive in the other direction is data protection and privacy – making sure we don’t use data in inappropriate ways or let it leak to evil-doers.

Enter GDPR, the data protection directive that comes into force on 25 May 2018, and applies to anyone doing business in the European Union, or with citizens of the EU. And perhaps more importantly, the high-water mark for data protection that Canada and others are following, which is widely believed to be the template for global data protection standards.

If I were to translate GDPR into a short summary of sentiment, I would describe it as “Right. That’s it. No more Mr Nice Guy.” GDPR attempts to protect individuals’ rights very thoroughly, in terms of their right to know what you know about them, to be forgotten, and to be informed when you have a breach that affects them. And all of this has to be prompt. The penalties for violating these rules are very severe, reaching up to €20 million or 4 percent of the violator’s global group revenues. The rules are also designed to make sure companies cannot delegate responsibility to other companies processing their data. The buck stops with you, whoever is doing the processing for you.

Suddenly, data doesn’t feel so unbearably light any more – in fact, GDPR makes data feel rather heavy and expensive. Companies and government agencies have to make smart decisions about what data they want and need to hold, and have a very good handle on where it all is, in case a request for information or erasure comes in, or indeed a cyber-security breach. My colleague Mike Bufalino will be writing about GDPR in more detail as part of our soon-to-be-published report on cyber risk for the board, but suffice it to say that there is considerable concern that many companies might well not be ready when GDPR comes into force in May 2018.

There is considerable concern that many companies might well not be ready when GDPR comes into force

The upside of compliance with GDPR means that a company must have a very good handle on all data related to each individual customer. Achieving this may well create a more sophisticated understanding of the customer, and uncover additional business opportunities.

Although this certainly isn’t a CIO/IT-only issue, we would expect every CIO, as a digital leader of the business, to be getting ahead of this issue, and helping their colleagues in the C-suite make smart decisions around their approaches to data and data protection.


Doug Laney 04.31AM 12 May 2017

Great points about data and information-based businesses Dave! You're going to enjoy my Infonomics book (out Sept 19) that discusses how orgs can monetize, manage and measure information as a true asset. One of the chapters is on how traditional economic concepts (e.g. supply/demand, productivity frontiers, pricing/elasticity, marginal utility) can break down when you substitute information for goods/services (as they were initially conceived). But there are valuable lessons too for enterprise architects and of course infosec pros. --Doug Laney, Gartner


*{{ error }}
*{{ error }}
*{{ error }}
*{{ error }}
*{{ error }}
*{{ error }}


Research Commentary

PDF (144.5 KB)



21st Century
Adaptive Execution
Proactive, Haptic Sensing
Reimagining the Portfolio
Value Centric Leadership


The Counter-Industrial Revolution
19 Feb 2019 / By David Rimmer
How far along is the success of the Distributed Ledger and DApps?
23 Jan 2019 / By Krzysztof (Chris) Daniel
2019: The Year of Digital Decisions
15 Jan 2019 / By Richard Davies
Defending Digital
12 Dec 2018 / By David Moschella
Our Research Agenda 2019
30 Nov 2018 / By Simon Wardley, David Reid