No Australian business has adequately architected its information systems to meet the requirements of the incoming Consumer Data Right (CDR) in order to share data in real time.
That was a key takeaway from a CDR panel during Gartner’s Data and Analytics Summit in Sydney this week which included the Chair of the Data Standards Body, Andrew Stevens, and members of the advisory committees that are developing the technical standards for the Customer Data Right from Westpac, Verifier and Simply Energy.
Apart from the technical requirements, new data governance rules, consent and strategic opportunities also need to be examined as the CDR is systematically applied to every industry across Australia, the panellists said.
The data portability scheme, which was legislated last year, requires data holders to share information in a machine-readable way when the customer asks them to. It’s beginning in banking, followed by energy and telco, but will eventually be an economy-wide customer and competition reform.
A bank, for example, must be able to produce data on its products, consumers or their transactions in two seconds, the same time it takes to complete an action in internet banking. The problem is that data lives in multiple systems which weren’t built for such a purpose.
Speaking on the panel was Jamie Twiss, Chief Data Officer, Westpac which is one of the initial data holders in open banking. He advised the audience to start working to understand CDR now, both from a technical point of view and the broader implications for your industry strategically.
“Depending on the state of your systems, the level of your ambition and what you’re doing today, it’s a significant change journey,” he said.
Twiss said CDR will bring a level of disruption to almost every industry as it is rolled out, which will ultimately benefit consumers.
“I think what we’ll see is lower friction in moving data around the economy will of course, ultimately benefit that consumer but it will disrupt industries along the way, and they’ll be winners and losers.”
Aakash Sembey, Industry Regulations Manager at Simply Energy is a member of the advisory committee for electricity, which is the second designated industry in the CDR rollout.
He used the example of a customer looking for energy data that is currently scattered across different systems. “It’s not sitting in a standalone system, there could be instances where customer is looking for data that needs to be taken from various different interfaces.” Under CDR all of that data needs to be consolidated quickly and arrive at a single location, Sembey said.
Andrews Stevens, Chair of the Data Standards Body, warned that organisation will need to get to work overcoming the design constraints of their systems now.
“I can guarantee you that there’s no organisation in this room that has architected their storage of their consumer data to enable easy access in the same timeframe as people would use when they activate their account with you,” Stevens said.
“So in the banking context, that transfer has to occur within the normal realm of your internet banking response time, which is two seconds. No one has architected this systems to do that.”
Lisa Schutz from Verifier, one of the initial open banking data recipients added to that challenge, “I can guarantee that not only are none of your systems ready for sharing in real time, but I can also guarantee none of your modelling protocols and data governance protocols are ready for a world where you have to account for absolutely everything you did with the data.”
Speaking to a room of data and analytics professionals Schutz made the point that CDR operates differently to the Privacy Act, the law which dictates how analytics professionals currently conduct their modelling.
“One of the challenges of a consumer data right is that it runs its own privacy settings,” Schutz said.
“In theory, as modeller, you would have to deal with data that you’ve got through consumer data right differently to the normal data that you’re getting through your Privacy Act. So the way I explain that is [like having] two sets of crockery and cutlery and two dishwashers all through your those legacy systems. Then you have to report twice a year to the ACCC that you got the data that you got, and you handled it the way you handled it.”
“I’m sure that many in the room are now starting to appreciate the technical complexity of that.”
A new era for consent
The panel agreed that attitudes towards consent would shift quickly once customers saw the utility of CDR.
“Historically, we’ve had relatively weak privacy and consent frameworks across the economy, because we used friction as a proxy for privacy. We didn’t worry too much about what people could do with other people’s data because the answer was you couldn’t do very much,” Twiss said.
“As the technology has improved, obviously, we see the need to actually lock that stuff down. Now, the interesting thing about the CDR is that obviously it puts in place, a clear framework for how we move forward with consent. But also, as we re-architect our systems, as we get better at data sharing, it will also increase the need to lock that down even further. So I think we’re at the very beginning of quite a long journey of privacy.”
In simplest terms, there are three key parties in the consumer data regime: the consumer, the data holder and the data recipient. Essentially the consumer consents to share their data, which is then transferred from the data holder to the data recipient.
“Consent will never be the same again. Consent washing and notice-based consent will have limited remaining lifespans,” Stevens said.
That could mean that the data sources that analytics professionals relying on today to create personas and models may be less available in the future, unless consent is handled appropriately, Stevens said.
“The reality is, it would be a good time, if you’re refreshing your customer insight strategy, to look at consent in your existing use of data with your customers today,”
The CDR rules put consent — and by extension, trust — in the spotlight.
“Trust is at a premium because if you’re not trusted, and consumers will not provide access to the data held about them. My prediction is you’ll be at a very significant competitive disadvantage,” Stevens said.
“How appropriately have you built trust in your approach to consent in your organisation?”