The Actionable Futurist® Podcast

S4 Episode 11: James Walker from Rightly on GDPR and consumer data rights

May 23, 2022 The Actionable Futurist® Andrew Grill Season 4 Episode 11
The Actionable Futurist® Podcast
S4 Episode 11: James Walker from Rightly on GDPR and consumer data rights
Show Notes Transcript Chapter Markers

May 25th 2022, marks four years since the General Data Protection Regulation, more commonly known as GDPR came into effect in the UK and the EU.  The GDPR's primary aim is to enhance individuals' control and rights over their personal data and simplify international businesses' regulatory environment. Four years on, though, are consumers adequately protected?

I spoke with James Walker, CEO of Consumer Privacy champion, Rightly, to better answer this question.

James is a consumer rights advocate and entrepreneur. He founded and grew Resolver, a free, independent resolution service with 18 million unique visitors a year that has solved six billion pounds worth of issues and is the largest independent resolution service in Europe. 

James has advised Government, Regulators and Ombudsmen on consumer rights and how to deliver better customer services. 

He is on the Board of the Dispute Ombudsman, a Consumer Expert to The Office of Road and Rail, a Non-Executive Director to Consumer Scotland, a co-founder and Non- Executive Director to The Collaboration Network and an advisor to Life Ledger. 

We covered a number of relevant and practical topics including:

  • What is Rightly?
  • What does Rightly do?
  • What has been the reaction from advertising companies?
  • What is GDPR & what's happened since its launch in 2018?
  • What changes are required to GDPR to make it work as intended?
  • What is my digital footprint, and how far does it extend?
  • How does Rightly work?
  • Can you check if companies have replied to your removal request?
  • The business model
  • Brokering a fair value exchange for our personal data
  • Brand’s obsession with data
  • The need for transparency and openness
  • Open Bankings' influence on open data
  • The role of regulators
  • Staying safe online
  • Why breached data has a half-life
  • consumer research results
  • What's next for
  • Advice for the UK's Information Commissioner's Office
  • The notion of the Polluter pays model
  • Three things to do today to start controlling our data

More on James
James on LinkedIn
James on Twitter
Rightly website

Your Host: Actionable Futurist® & Chief Futurist Andrew Grill
For more on Andrew - what he speaks about and recent talks, please visit

Andrew's Social Channels
Andrew on LinkedIn
@AndrewGrill on Twitter
@Andrew.Grill on Instagram
Keynote speeches here
Andrew's upcoming book


Welcome to The Actionable Futurist® Podcast, a show all about the near term future with practical and actionable advice from a range of global experts to help you stay ahead of the curve. Every episode answers the question what's the future with voices and opinions that need to be heard. Your host is international keynote speaker and The Actionable Futurist®Andrew Grill.

James Walker:

My guest today is James Walker, CEO of consumer privacy champion rightly, James is consumer rights advocate and entrepreneur, he founded and grew resolver, a free independent resolution service with 18 million unique visits a year, that has sold 6 billion pounds worth of issues so far,and is the largest independent resolution service in Europe.James has advised government regulators and ombudsman on consumer rights and how to deliver better customer services. He's on the board of the dispute ombudsman, a consumer expert to the Office of road and rail, a non exec director to consumer Scotland,and a co founder and non executive director to the collaboration network and advisor to life ledger. Welcome,James,Thank you, good afternoon, or good morning, I'm not quite sure what time it is."Podcast" is timeless. So whoever's listening to this,it'll be any time that they're listening to it.I like that I like the idea of it being timeless.We had a nice little chat off-air, I know that we're going to get on really well, we've actually agreed to meet in person, which is unusual for podcast guests. But I think by being in London, we'll have a lot of fun. Let's get into the podcast, I've had a look at your service. Clearly, we both understand the issue of consumer data quite well. But can you explain to our listeners what rightly is and what consumer problems it solves?Absolutely. So that there is something that we all think about at some point, but we never do anything about fundamentally, which is we always go, I want to who's got my data, I wonder where my data is, or I wonder how my data is being used? Or we sit there and go hang on a second, how did I get that spam email? Or why did I get that scam phone call, but we never really then go? How did that come about? And the reality is, it's all about your data,your data is key. And the thoughts on rightly is that we are there to help consumers to be better at being able to manage look after their data for one and two to be more in control. Because if you control your data, you can control how it's used, where it's used. And you can be comfortable, that it's not being something that's being used against you. So fundamentally, you know, we are a champion of data, we call themselves that we are a champion to help consumers to take control, take the right action, and actually sit there quite comfortably at night on the sofa with a cup of tea, or a beer in the pub, and know that they're not going to get the annoying scam phone call or the spam that they were getting before. For example,you say you're a champion of data, which is great. But what does that actually mean in practice, it is in practice about helping consumers to be empowered, you know, we can only be a champion if everyone is part of a movement fundamentally. So what this is about is helping consumers to take control and empower themselves, help them to be their own champion, we are there to create the framework to help everyone else to be their champions. And we will help you to be that champion.Data is the king of advertising agencies in consumer companies.So they must not like what you've done, because they like having all this data, what's been the reaction from people that are not as great at handling data in the world,there's a few people that you could slightly annoy fundamentally, by being in more control of how your data is being used. There's a big one,and they're called the market service providers are sometimes called data brokers. Their role is to be obsessive about you,not to the point of coming around and taking stuff out your bid, but obsessive enough that they will do as much effort as they can to find out information on the reason big the more they know, the more that they can sell it for. And this is where it gets a little bit depressing to be honest, because your data is probably worth about 50 Pence maximum. So did you ever think yourself would be worth 50 P,you get what a Mars bar or something, if your is the only thing that you could get with the cost of your data these days. But when you aggregate it together, what you have is a lot of information on a lot of people. What happens with that is that it's then sold on to brands, brands, again, are obsessive with the idea of who's the target customer and how to get to them. So if I can tell them as a data broker that I've got the perfect match for your customer base, how much somebody's willing to pay for you, but a lot of data together,and a lot of money starts changing hands. So yeah, people do get annoyed with the idea of people taking back control of the data. And then the the line that's used is, well won't those people want to be finding out about new products or services that could be of interest to them? But isn't that what marketing used to be about and should be about is serving adverts and trying to find the right people rather than becoming slightly scary and stalking you by being able to know that it it perfectly fits you Don't get me wrong, I have no issue with everyone gets obsessed with cookies, I have no issue in principle with actually understanding what you've done and helping be able to target.Where I have an issue is where you go to the next level. I can think of one data broker, for example, that has data on me that has my kids, their ages,when I bought my house, when the income a job is my propensity to get cancer. I mean, they could sell that to anyone. And therefore, actually, a service that I would want to buy, could be the price and could be deemed based on that data, which is inaccurate, and I haven't been involved in or didn't even know was stored on me.Now, today is GDPR day, I don't see any candles or cake there.But it is cause for celebration,because four years ago today, it came into effect, those that have been under a rock GDPR stands for general data protection regulation. So you're more of an expert in this than I am maybe just for our listeners around the world. What is GDPR.And what's happened in the last four years GDPR was a set of regulations created by the EU, with the logic of helping consumers to take back and control their data more effectively, really strong principles, great idea, not quite as good in the execution of I remember companies in 2018,when everything was kicking off being oh my god, we've got to change this. What do we do about this? Everyone was panicking from a business perspective. For years on, we're sort of in a situation where everyone's gone.Well, we don't really need to follow that rule as much as we did, we could do this. Instead,I can think of a firm where I bought some socks from made from bamboo, very nice socks, and it had a box on that site that said, tick this box, my presumption was reading. If I tick the box, they weren't going to share my data. Turns out that they weren't going to share my data. And they shared it with 25companies, as well, as a marketing service provider,that's illegal, I go round and sign up for services every day to go and test websites, I am signed up for so many marketing lists, were actually I should have had to tick a box to do it.So fundamentally, GDPR was about how your data is used. It came in with a hail of glory, I would say that it's not sitting there as being the panacea to all the problems that exist.Fundamentally, the businesses are not doing what they should be doing. And the problem for the consumer is, you know, give you a really good example, one of the things on GDPR is that if my data is shared to accompany within 30 days, the data controller should inform me that that data has been received by them. The problem is no one does that, literally. And no companies do that. So I went out to look at how big my data footprint was, and thought it would be as big as the people in my inbox. Actually, it's somewhere about four to five times the size of that. Because there are so many companies that have bought and sold my data and have never told me and are building up profiles on me that I don't know about. For me. The issue with that is that it seems unethical. It seems unfair. And it seems actually something that puts me at risk. And I am not in control of an asset that is fundamentally mine, which is who am I?I think you and I know what we're doing. And actually I remember well before the GDPR regulations came in it was the Data Protection Act here in the UK, and a particular company that sells clothes that has a non colour in their name, let's say started spamming me and I'd hear what you did this is back before GDPR, I worked out how they got my information because I was sending information to my home in physical mail format. So I then emailed the marketing director, and I said under Section 10 of the Data Protection Act, I had it off my heart, you should stop doing this. And they eventually did.But I gotta tell you, I actually went and visited a couple of real estate agents in person disrupted their morning meeting,I said, I want you to take me off your list. And they were completely shocked. Why would someone come and do that. But it comes back to when you write.It's the ethical marketing, I have no problem with people having my information. If I've given it, I actually have no problem with people market. To me, it's something I might like,but it's when I don't want to have the data and they don't have a way of getting rid of it.I think that's where you have unethical marketers. In fact,another broadband company that rhymes with sturgeon used to send me to the household or white envelopes. And I realised that the time that under the mailing Preference Service, she couldn't stop those because my name was not to the householder.And I actually suggested that people should take the a4envelope, put a roofing tile in it and send it back to the Chief Marketing Officer. That's what he's got to take to tell people that this is just wrong, what changes are needed to the GDPR regulation to ensure it remains a deterrent in the future. If companies are kind of ignoring it at the moment.UK Government wants to reduce the effort that businesses have to go through to run business.And one of the obsessive elements of that is cookies and people going oh, we shouldn't have Cookies, cookies. What they're doing is they don't really know anything about you they know about your browser or your device and where you've been. It's the level of data that I'm more concerned about,which is the data that truly knows about you. I don't mind being marketed to I don't mind.People having basic information on me. I do feel slightly uncomfortable when the information is very detail, I don't know where the information is. And I don't know how it's being passed. So my first point is that if you're going to make GDPR better, is that there does need to be the enforcement if your data is passed to someone,you should be made aware of it.Because you should have the ability to consent to whether they have it or not. The ability to sell data and the ability to buy your data and without your consent comes under something called legitimate interest. The logic is that I can market to you because I think you are somebody that would like to buy roof tiles, and probably a four envelopes as well. And therefore, you are the person that is my perfect customer. I can go out and buy your details.Okay, that's fine. But I don't know that you've bought them. I mean, I went to check Facebook,for example. And I found two and a half 1000 companies uploading my email address, they seem to be random ones, a lot more random ones than you'd imagine Jeep Wyoming. I'm not going to Wyoming soon, and I won't be buying a Jeep if I do go there.So why have they got my data enough to upload it to Facebook,to work out how to target me. So your data is out there? It's out of control, fundamentally. So you shouldn't have the right to know who's got your data. The second part is that deleting it or asking for it should be a lot easier than it is businesses have an ability to ask you,okay, I need to be able to verify who you are. But they will make it harder than it needs to be. You know, for example, somebody that's got you on a marketing list will say,well, I need to see a copy of your passport to be able to confirm who you are what you never saw that when you put my data in, or affirm that you can sign up online and buy a service from by ticking a box when it comes to deleting your data or asking for it again, would like a copy of your passport. Well hang on, you didn't need that to sell a service to me, I can think of a telecoms company.That's two letters that when I asked my data centred on a CD ROM, my last computer, the CD ROM was 10 years ago, I believe it should be about easy, it should be about being simple.And the other part for me as well is I have real concerns about who can buy my data. And what I mean by this is that when I did my data footprint, and it took me three months, and it shouldn't take somebody three months to do this, it should be three minutes. Fundamentally, I found that a lot of data have been brought from competition websites, I'd never been to any of these websites, I went and created a new email address, I tagged each one. So I knew that it'd been put in there. My data was passed from those websites on to people trying to commit scams against me. So I had spear phishing attacks and to say, you know, why don't you buy our service, you only want to pay a pound and you got to get a 200pound laptop, because you got to pay the delivery access. I know where it came from I know who sent it. And I know where I put it in, hang on a second. My data is being sold to scams, I don't want that. I don't want to put myself at greater risk. If I don't know who's got my data,how can I be in control?So you mentioned the term before digital footprint? And I think I know what it means. Can you describe for our listeners? What is a digital footprint? How far does it extend? And how do you discover extend? Well, that's an interesting one. If this was a proper footprint, I probably have walked in most countries,I'm going to guess in the world in some shape or form, your digital footprint is where is your data? What is it? And who's holding it? What's the number of services that you've touched?Where have you been? Who's got your data? But also who's got your data that you don't know about? And then there's a next layer of complexity to it, which is, what is the data that they've got, you know, how deep is the data? How much data have they actually got on you. And I go back to that example of their propensity to get cancer. That's pretty deep data under GDPR.That would be considered sensitive data, and is not something that a data broker should be holding on. So your data footprint is how many companies have gone up? How do they get ahold of it? Who have they shared it with, and what data they've got on you. And you suddenly start building up a very interesting profile. If you go and look at a number of these companies that buy and sell data, within their privacy policy, they will have lists.And those lists can go on and be250, sometimes 500 organisations that they may be selling your data to. And the key word in that is May. So how many people have it? Often, they don't know,I had a great example of one company telling me they bought my data in for a company, that company that bought the data in from said No, we've never sold it to them. After three attempts of going back to both of them.One of them finally admitted,actually, I think we did sell it to them. Yeah, sorry, we didn't record it properly. Well, if you're not recording properly,you don't care about me. I don't care about you get rid of my data. Thank you very much.So rightly is one way that you can discover what services you're on and as you say, how big your footprint is. Talk me through how rightly works to actually remove you from these lists. Is it automatic? Is it manual? How does it work?We've made it as easy as possible. The logic is start the process in about three minutes.That's opposed to when I tried to do it, it's about three months. So we've tried to condense down what was a very long process and a very quick process, we've got two key areas that we're doing that through one, scanning your inbox, and what I mean by that, because now, isn't it ironic, a company that wants you to delete your data is also trying to get you to sign up for an account and scan your inbox? Well, if we don't, we don't know who's gotten if we don't who's got it,we're not gonna help you get rid of it fundamentally. So we scan your inbox, but this is an iceberg, we're only scanning the from email address, we're only looking at the company that sent it to you. And this is also really interesting, if you take a brand, they can be using five or six different email addresses to email you the standard marketing, one, a special promotions, one, customer service, etc, etc. So we've aggregated those all together.And so far, we've done that for25,000 companies, and we're adding companies at a billy over rates, because we need to get to about 100,000. Before we're starting to make a dent on this,we're adding loads of companies,we're gonna get there, and we're getting there super quick. But you can then go in and choose which companies you want to delete from the important bit is go and choose the companies that you're not using any longer,press the button. And then what happens is that all of those go and they send from your email address, the companies can reply back to you on what needs to be done, you're looking at around75% of companies will automatically just delete the data. Interestingly, deleting data is easy than asking for data, which is a subject access requests, where you ask them to send the data back to you, they get more worried about sending something out, and they do about pressing a delete button.Because it's a bit like if it goes wrong, well, we didn't send it to the wrong person, we just deleted everything we know about you. So that's the first element. The second element is that we have a second complimentary service called Stop junk marketing. And what that's about is basically going out to the nodes on the network,the people that buy and sell your data and telling them, I have a right to object to processing my data. And this is really important because it's different from a deletion or deletion just get rid of it very unlikely that a company that you've shared data with is going to buy it back in on the data brokers, they buy and sell your data between each other. It's a bit like having a I don't know,the gambling game, and everyone's sitting there and trying to swap cards with each other, I can't think of what gambling game it would be now they buy and sell your data. So a right to object processing means they get rid of the data they've got on you. Now, they bite back in, they have to delete it again. So they can't get round, any process of going the deleted everything. And the next week, they buy the data back in again on you. They can't have it now they can't have it next week, they can't have it next year doesn't matter, you have objected and they have to remove it. And there's an element that this then executes upon as well, which is, by doing that you've reduced your digital footprint down, you reduce down your likelihood to be scammed because data loss in breaches is used in scams, you reduce down your annoying magazine that you got in the post and want to put a tile back in the post about but also, what you're doing is you're preventing your data from growing and growing by the fact that it can't now move around.Fundamentally, you're putting it back in control, you now choose who's going to have your data.Now, I think there needs to be changes to the GDPR regulation to mean that this is easier to do. And you don't need to go and ask everyone. But fundamentally,the best thing you can do is to start taking back some control,get back in control as much as you can, and get rid of the data from as many people as you can as quickly as possible.So while this is a request, I know under GDPR law, they've got30 days to respond. Is there a way you can check whether they've actually replied because I can go on to right there, I can do all of this there, my life gets busy. I start getting spam again. And I've gotten didn't I get rid of that?Because where's the link between what? What essentially you're asking for on my behalf? And then I'm actually doing it. And then to the I suppose the blacklist services, the brokers,if I'm blacklisted, if my emails blacklist and they shouldn't have me on a list? Do you then go back and check? They've done what they've said they would do?So this is at the moment tricky.Fundamentally, there's actually two types of companies out there. There's the ones that are legitimate, and we're asking them to leak data. And what we're building into the service isn't always on function,whereby every few months, and we've got to determine what that is that we'll send out and say,I'm making sure that you still don't have my data. And you've complied with that. And that's really key. So actually, you can turn this on and not worry,because the logic is that we can keep that go on. We're building that out. The other bit though,that when we build that out is that we're then looking at how that we add in functionality to look at the incoming emails in your inbox. Again, only the from address because I don't care about anything else to pull in the FCA Financial Conduct Authority list of dodgy traders to do the same with the solicitors regulation, authority and other lists to therefore be able to But you if something comes in, that you may think is legitimate, but shouldn't or isn't, and you shouldn't be dealing with. And that's not that uncommon. You get the scam phone call about PV panels. And they go, yeah, yeah, we send you through the paperwork, email comes in, and we go, that's on a list of people you shouldn't do business with, stop it before it happens. So you know that, to me, it's about taking back control. There's a second set of companies out there that we know are being poor or badly behaved with data on those companies, we are not asking them to delete a consumers data. And the reason being is we don't want them to know any more about you than they already know. Because if it goes into them, they come back and go, we'd like a copy of a possible, we do not want somebody like that to get a copy of your passport. So actually,we vet the organisations that we add to the system and whether something should be sent to them in those types of organisations that's about engaging with the right forms of enforcement,national Trading Standards,scans team, for example, about what can be done to try and actually prevent something happening, or in Scotland, or vice direct Scotland or Police Scotland or action fraud. This is about getting the right information and the intelligence to be able to make sure that the right actions can be undertaken,but not putting you at risk.Sounds like you're doing a lot of information behind the scenes. And this requires expertise and understanding how the law works. And what a dodgy company looks like, I tried the service, it's at rightly, right,dot L Y, it's free. How do you make money out of this to improve the service?Everyone always goes, if something's free? How do you make money? And it's a good question. It's the right question. You know, if you think back to what I would have said and haven't but should have said, I'm gonna guess is that free services are frequently focused on you being the product and how you make money out of it. We're not, we're not making money from this service, we are very ethical in the way we use data, ie, we're not trying to steal your data. Actually, if you want to delete your account,if you've used us super easy and quick to do, we're not that we don't want your data. If anything, holding data on you puts us as a service at a greater risk because it becomes something that would be interesting. The scammer said don't hold the data, let's make a service to help you empower yourself, Where are we going is actually what can be done to help you to be more in control of your data. And we're looking at how that can become a freemium service, ie we have a basic free service, are we looking to add in a premium service that the consumer could choose or businesses choose to pay for. And that's where we're going, you know, that will be sometime at the end of this year or into next year. But the really important bit is that we are not treating the consumer as the product, what we're treating consumer as is the person that somebody needs to help. And that service that is there to be able to make sure that they can take control and they can be their data champion themselves.My favourite phrase is, if the product is free, the product is me. And you've just spoken to that. But I would pay for your service. I mean, I wouldn't pay1000 pounds a year, but I would pay for something again, there'd be a fair value exchange to keep people away from my data. But on that face value exchange, how do we broker a fair value exchange where I'm going to give you some of my information, and I want something back in value, but I don't want you to just take it away, I was amazed by your analysis that I'm with 50 Pence,I would have thought I would be worth more but by clearly not now frighten up with try a bidding war, we may be able to get 53 P for you or 55. But a push the amount of data that we can get on consumers, I could go out buy lovely data lists of great details on consumers, it's as cheap as chips, because still the number of people that convert is quite low. So therefore, when you're buying in a list of I don't know, let's say 100,000 People 50 pair user is becomes you know quite a reasonable amount of money quite quickly. How many people have got to convert out of that for the company to go that was worth me investing in. So we're all long shots in a way when it comes to what we're worth. I think the bit for me, though, in this is all of the brands have had an obsession about knowing about your customer, you know,the concept of you know who to target, you know who to profile,that obsession has fed through to the data brokers to say, We want you to find out as much as you can, and give us the right customers, the data brokers have then gone, where do we get the data from, and they've cast the net wide, and probably too wide,and sometimes into organisations that they really shouldn't be dealing with whether they know it or not. So actually, there is an element of almost I'm going to say guilt by brands wanting to know about their customers have driven the obsession to get data on us. That data obsession is putting us at risk. So there are a lot of other regulations coming in. And Google is reducing the propensity for cookies. So we mentioned them before to be useful. I did some work with Adobe who run a consumer data platform, which is again using first party data and to your point, if I already have relationship with John Lewis or Adobe or BT or something like that, I want to again give them more data to make the products services they suggest to be more relevant. So as second and third party data becomes less valuable, and it's harder to then to mine will we see smart marketers want to engage with customers directly so that their database, their customer management system actually has a better view of what I've done.What surprises me, I go on to and I'll use John Lewis as an example. I'm a I'm a good customer of them. I buy something but then I get a retargeting ad about something I've just bought, you know, I've just bought it because I just spent money with you. So is that the focus where you think ethical marketers will actually earn the right for me to tell them more about myself?To me, this is all about transparency and openness.You're not linking things up?You're not being clever in trying to understand having data from me. I don't mind John Lewis having all of my purchase history. I don't mind no issue.John Lewis wanting to know, the age of my kids and when their birthdays are, if I haven't given the data to them. I do mind. John Lewis asking me for that data explaining why. Yeah,okay. One of the things my CTO,or former business said to me once was that look on the signup process, we should ask the minimum amount of questions necessary to be able to deliver a service because anything else every time a consumer looks at it, you've got to ask your question, why you're asking that for me? Why do you need to know that it is an off put for people signing up to services, the more you're asked, the less people want to sign up? Why? Because we feel uncomfortable handing data over somebody we don't know. But if you explain to somebody why you do need something, and it's legitimate, then we will share,I don't think people object to actually having their data out there where it has a benefit or a value to them. Imagine that I was going to do a Energy Switch,assuming that the energy market works at some point in the future. Thank God for podcasts because this can be in five years time everyone's going what problem with the energy market?What if I, you know, pulled down my data from my nest thermometer and combined it with my smart metre electricity data and my Tesla charging data to be able to go and say, Well, this is how I exactly use data rather than everyone trying to guess it.Your data can offer great values and great opportunities to use consumer to get better services.But it needs to be something that you are confident and in control with, rather than something that you don't understand. And it's spooky, and you look at it and go, or how do they know about that about me?Or why did they get that? Or where did it come from, is that lack of control, the lack of transparency, and it's the lack of equality that I think causes consumer distrust with my Futurist head on the view of combining all these datasets is something I think is very positive. So again, if you earn the right to say, Well, if you give me your nest data and all this other data, I can start to build better propositions for you. But this comes down to open data. And the only industry that's really been forced to that has been banking and the open banking platform, the thing that happened around about GDPR time as well, we've seen that banks have been forced to share data on stage, I say, well get ready for open water, open utilities, open telco, but I think then we're relying on consumers being smart enough to say, I now know how to access all this. So I've been playing around with cryptocurrency and NF T's, just to understand the friction. And to sign up for some of these services is actually quite complicated. And I have four engineering degrees.So I really feel for the poor consumer out there. To your point, your service makes it really easy. But what's next,once they've cleaned all their data, and they want to share data? Do we have to rely on Smarter consumers? Or will there be brokerage services out there like yours that do it for us?I think it's about empowering.And I actually want to go back to your point there on open banking, because I think there's a lot in this as well, which is look, go and show me the killer app that's come out from open banking, there's been sharing of data, but I don't find a killer app. And for me, it's the lack of granularity that open banking provides. So 30 years ago, you probably would have had a good card level of transactions. And you'd have each individual shop and you'd have been able to work out about me where I go shopping, or what I do. What you see now is a lot more aggregation so that I go through a PayPal. So actually, you don't see where the transactions got,you just see it's paper, or I go through a marketplace. So therefore you don't know I've ordered a takeaway, you see it as being Uber, or you see it's been delivered, you don't know what food I've ordered. So you don't know anything about me. So how can we tailor so that's actually almost this dis aggregation in purchase data that's occurring, so that you end up open banking knows less about a consumer now than it would have done when it would have been a good idea. For me open banking fails. I think the apps fail within open banking because they can't offer you enough insight. The next layer that goes into this is I'm going to call it micro data. What if you could see that I've spent at Sainsbury's, but you could pull back all of my purchase history from Sainsbury's and then offered to me, which is the supermarket based on your normal shop that's doing the best deal this week. That then becomes interesting. Open banking data gives me that Whereas spent, it does not give me what I do, or the implication, if this is handled in the correct way. And again, I'm going to go back to everything we said before, this is about open transparency and value to the consumer is that suddenly you can create new services to the consumer that have value, and can change the way that they engage in services they get, but you need the next layer of data. And that's fundamentally where open banking has failed to me.And you're right, because the promise of open banking was I could then send my data off to a scrappy startup in Shoreditch,that would actually look at my transactions and make better assessments of how I should spend my money or invest it. But that really hasn't happened. And so in a way, it's failed. The overarching issue is and you do a lot of work with regulators and ombudsman and those sort of things. Do the regulators understand how the regulations need to change to make these services for more valuable,I remember presenting at the regulators forum or conference,I can't remember what they they're all the regulators have like, an overarching membership of being a regulator. And I went and presented at one of their events, I said, Look, I'm really worried about how algorithms could be used against consumers to end up giving bias services or unfair services. You know,there's the classic one that Google created, our algorithms work out who was the best doctor, and it came out and said it was a man. Because 75% were doctors were met, there was nothing about the quality of the health care, or what was delivered, it just came out and made this broad assumption. So you imagine that you then put that into something as simplistic as buying energy? And what could you end up with? I'm not sure. But you could create a bias in terms of a customer that you want to take on and suddenly create a very unfair environment, I posed the question. And the answer back from the regulators, which I thought was quite interesting was actually you know, what, I don't care if you put an algorithm in, what I care about is whether you break the regulation. So as long as you're doing what is right, how you do,it is not my concern, regulators understanding about how well open banking works, or whatever it may be, like all good ideas,they're only as good as their first engagement, that learning and adapting takes time. Because it's regulation regulation needs to understand and then needs to propose it then needs to consult, it then needs to put on paper, it then needs to finalise the paper and implement. And that could be something that can be like three to five years. And if you just think back to things like issues with payday loan lenders, and how long that that took before, effectively, the market got sorted out. For me,that was a swing that probably ended up going too far. You know, it's too far in the company's favour to begin with.Therefore, the regulator's reaction was so far towards the consumer than actually the value of payday loan lenders. And there is to me a value because what's the alternative, a load shop, it's one too far the other way and sort of took out the market. Regulators have to be balanced and regulators have to be effective, but where they do need to improve is the speed at which they change. Because that is the slowness that causes the problems of things not to be able to evolve quickly enough.And don't get me wrong. UK open banking is ahead of the world.In many ways. It's the first one out there, created the FinTech market that we see in London in many respects. So it did great things. I just don't think open banking is delivering what it could do.You make an interesting point there about regulation and the payday loans and those sort of companies. Probably the next best thing will be cryptocurrency because everyone's trying to regulate it, and we see ads on the tube.Tell you a little story, though,that you're going to like. So probably two or three years ago,I had the privilege of speaking to the Welsh Government at one of their internal TEDx events.And I said to a roomful of regulators, you need to think like a startup. And here's what I want you to do. I want you to spend a couple of days going into a serviced office, and actually sit inside and watch how startups work and why they make decisions quickly. And I had five or six come up to me afterwards saying, that's actually a really good idea.Because as a human, I need to understand why these people think differently. And maybe that will actually impact how we work in a more agile way. So I take your point, that regulation takes a while. I'm hoping if there are any Welsh regulators out there that saw my TEDx talk,you have gone and learn how to think in more agile way, it's gonna take you and I a long time to go and influence regulators.To do that. Maybe we just need to say you need to think like a startup. So you're thinking a lot more nimbly,go back to the startup, but we're doing it the same as anyone else in many respects is that you have to find your way to be able to circumnavigate problems that are in your path,which often can please the regulation as well. You have to sort of work out how you solve a problem. My definition of a startup is you know that you're not in a startup any longer because it's easier to get somebody outside of the business to do something than it is to get done inside of the business.That fundamentally a startup is about quick decision making rapid fail rapid learning, and everyone will put in their heart and soul into making something work and the great bit for Asquith rightly, is actually the people in the business are all about care about data and all about actually how we should be looking after our data. And that's the passion that organisations need to grow and evolve quickly. So just want to spend a bit of time talking about how consumers can stay safe online, you mentioned on your website, and I've been a big fan of Troy hunts have I been poned? Since 2013, he's actually indexed 11 billion data breaches, all of my talks, I freak out my audiences by saying in the break, go to the website,put your email address in or your password or your cell phone number, if you're very game, and they all go, Oh, my goodness, my emails out there, you and I know that that's not the end of the world. But what it does, it makes it real. Also, it talks I talk about using two factor authentication. I talk about using password managers, you and I probably are doing that natively because we know the extra layers that can help us stay safe. But what would you advise consumers obviously use right label? What other things can they do? I mean, Apple now has a service called hide my email that has masked emails,there are all sorts of things coming out. Where do you think things are moving? And what should consumers do today,tomorrow to stay safe online,I'm with you Mason service, the guy has done a fantastic job,how was when he started that him ever sit there and think,actually, there'll be conversations probably going on multiple conversations around the world every day about this.The one thing for me though,when you go and look at it is go and look at actually the number of organisations on there that you go, I never get my data,because I go and look at it and go half of those companies that lost my data, I never share my data with them. So how do they get your point about using rightly Thank you very much. But I think building on being poned is that it's showing to me that there are lots of companies that you don't know have your data.And that's why you need to take control. I think the other bits,you've pulled them out that password managers think about the browser that you're using,and how that data has been collected from it. I'm also into having different email addresses or having different types of email addresses for different levels of security about tagging sites, which you can do in Gmail and Andrew, you talked about your example about how you do it, anti virus, there's a lot of elements, password managers,which are already mentioned, but you do all of this and you're putting yourself at a lot lower risk. I think there's also an element here, though, that I am going to say, which is something that you can't go on, but attack with, you've got to do a mindset with, which is in the finance sector, they have a campaign called take five, which is take fie before you do anything,think about it, it's something new, just don't go and do it straight, walk away from it,think about it and come back to it. Because fundamentally, if it's clicking on a link, it's putting your data in somewhere,going somewhere you haven't been before, take five to think actually, is this the right thing that I'm doing for all the pieces of technology that we can throw at the problem, there are only as good as you are at trying to prevent it as much yourself, you know, no one's going to be solving the problem of human behaviour soon. So we all need to take ownership and control of what we're doing as well. Which is why for me, you know, taking control of your data footprint is a key element of that, because it's something that you can control. Rather than sit there and waiting for things to go wrong. Stop it going wrong before it's going to happen.

Andrew Grill:

I still gets surprised when I'm in a hotel and asked to fill out all this information on their Wi Fi form.I put dummy information in there, my name is you're not getting and then my surname is your my data. And then my email addresses go And I go fantastic. Come in use the Wi Fi and all my friends go. Can you do that? I said yes, you can. I also have a fake birthday. I have a real birthday. And I have an online birthday that I use for everything except where I'm required to legally. And in99.97% of the cases. My fake birthday lets me in I had to change it on Facebook, though,because everyone was wishing me happy birthday at the wrong time of the year. But against my friends. When can you do that? I said no one said I can't back to the take five, why are you giving someone your date of birth? Why you're giving someone your name and even your address?Because as you know, it's not just fraudulent marketers.There's a whole industry out there about credentials and scamming people online.

James Walker:

Somebody came to me and said, loaded my information has been breached.And I'm worried about how it's being used. Do you know where it's been breached from? I think it's from here and I went okay,I tell you what, why don't you go back to that site, or phone up customer services, and get them to add your middle name and get them to save the data. So you know, my name would be James John, not my real middle name just in case somebody's gonna use it against me. But did it they did get a phone call. And then some they said that, you know, okay, so what's my middle name? I'm sorry, we don't have that. Boom. It's almost like how do you reverse engineer, you add in more data by the fact that your data has been gone, that therefore somebody won't have your data data breached has a half life, you know, it's a bit like a radioactive isotope. The longer it's out there, the less value it is, you know, going back to pounds. I remember one of mine was a data breach from LinkedIn in 2011 worldwide A job, my house, my primary email,they all are different from them. So actually, if somebody tries to use that, and my passwords have changed, I know that it's not real. If there was a leak, like Talk Talk happened,what a few years ago, the most damage was done. before anyone knew that talk talks data have been leaked. The way the data was leaked was super simple that people put a query into the search bar on The Talk Talk website that said, please show me the database, and it showed the database and they copied the whole thing down. Scammers then phoned up before talk to it worked out to say, Hey, this is how much you spend. This is what programme you're on. This was your last bill, please, could you instal this software?Because we need to make sure a monitor for security on your device? Do you fall for it?Because they've got enough information about you to make it believable?Social engineering is something that I think a lot of people get thrown for, almost out of time.But I just want to touch on some consumer research that you did,you said that over three quarters of consumers feel falling to a victim or scam or breaches inevitable, which is a bit sad, and they're ignoring the risks and taking action to prevent it. Almost everyone has a digital footprint, according to your research. But eight in10, consumers don't know how big or far reaching it is, what other things surprised you in the research that you conducted.The big one on this is the number of consumers that actually believe they know what GDPR is, and the data regulations. The reality is,it's not like that. Because if I know the fact that every website should be informing you your data being shared. I don't know anyone else that knows that. So therefore, for me, there is a belief that everyone knows,because they've heard a few bus lines when this came out. And all the same things were like,it was all about cookies and cookies can't be used cookies,this and cookies that wasn't about the bit that really matters, the bit that can be used against you the bit that is going to be shared across the internet, your cookies aren't shared across the internet, your name, address, phone number,income, age and children could well be that's what's going to be on the dark web and not your cookies. The concern for me is people believe they know what their rights are, when fundamentally they don't.The service is fantastic. It works on Gmail, it works on Office 365. That's outlook and Hotmail. Where do you want to take the service next,this is about going back to that element of how do we help you to be able to distinguish between good and bad actors out there.Being able to analyse the data to be able to look at this company haven't used for a long time. This is a company we know that sells data. So it's all about adding the intelligence or bringing in those information lists for people like the Financial Conduct Authority, we want to make this that you are back in control. And we are giving you very simple ways of being able to choose from the two and a half 1000 companies that may be in your inbox, which ones that you don't have your data very quickly, very simply,you know, let's keep it for that three minutes. We're all busy.We all know we should do something about this. But we will think it's too complex.Three minutes is not too long to sort yourself out and to protect yourself.The government organisation responsible for upholding GDPR is the Information Commissioner's Office or ICAO,where do they need to be involved in what should they be doing next to ensure that services like yours are well known, and people know about controlling their data and they keep the bad guys and gals at bay,I have one element that the ICAO needs to be able to change. And it's not a complex one. But it's a hard one, which is in every other market sector. There is fundamentally a form of the polluter pays model. So you know, if you're in work in finance and consumer complaints,and they escalate a case, that goes to the Financial Ombudsman that costs about 700 pounds a case to be managed. So if you're really bad, you get lots of case fees. And you go we should improve in the data perspective is everyone pays a annual charge to be regulated by the ICO. They don't pay any fees for an investigation into the firm.There are unlimited number of firms that the ICO manages to take to court or fine a year.And that's mainly because the number of consumers complaining more people that complain, the less time they have to deal with things. And all of those fines go back to the Treasury. So what happens is that you see more people worried about their data,there's more of a workload for the ICAO to deal with, there's less time to be able to go after the bad actors. You need a mechanism of polluter pays to either put an ombudsman and a regulator to be separated. So you have an enforcement and a regulation separate or still you combine the two, but you have a mechanism to make sure that actually the money that comes in from bad behaviour funds the enforcement of bad behaviour against others. I love that notion of polluter pays.Let's run you through a quick fire round one and a bit more about you iPhone or android iphone window or aisle.I am OCD on this I have to be I'll What's your biggest hope for 2022 that we can all love each other and get on and not keep having fights.What's the Have you most on your phone? Mine is stripe final quickfire question, how do you want to be remembered as being fun? Good answer. So as this is the actionable futures podcast,what three things can our listeners be doing today to ensure they start to control the use of their data online,delete the data from people that have it that they shouldn't have it no longer go to Marketing Service Providers and tell them not to use your data ever again.And actually think about what email addresses you use or the way that you tag data gJames Walkeroing in. So if anything comes into the future, you know where it's from a can actually trace it back to make sure that you're in control. James, a fascinating discussion. How can people find out more about you and your work?Look at, we have a blog, I write a number of blogs about things that we're working on. I also do some bits on Twitter. Anyone reach out to me,I'll have a chat with anyone.James, thank you so much for your time you have a really valuable service. You are a passionate advocate of consumers and consumer rights and I need to tell everyone about rightly so they go and use it. But thank you so much for your time today.Pleasure.


Thank you for listening to The Actionable Futurist® Podcast. You can find all of our previous shows at, and if you like what you've heard on the show, please consider subscribing via your favourite podcast app so you never miss an episode. You can find out more about Andrew and how he helps corporates navigate a disruptive digital world with keynote speeches, and C suite workshops delivered in person or virtually at Until next time, this has been The Actionable Futurist® Podcast.

What is Rightly?
What does Rightly do?
What has been the reaction from advertising companies?
What is GDPR & what's happened since launch in 2018?
What changes are required to GDPR to make it work as intended?
What is my digital footprint and how far does it extend?
How does Rightly work?
Can you check if companies have replied with your request?
The business model
Brokering a fair value exchange for our personal data
Brand’s obsession with data
The need for transparency and openness
Open Bankings's influence on open data
The role for regulators
Staying safe online
Breached data has a half-life consumer research
What's next for
Advice for the UK's Information Commissioner's Office
The notion of the Polluter pays model
Quickfire round
Three things to do today to start controlling our data