MyData, the nordic model for human-centered personal data management, is moving from theory into practice.
In the past couple of years, the word “MyData” has been thrown around while planning and discussing personal data related systems. MyData has been part of political discussions, legislative talks, technical architectures and even consumer behavior forums.
One reason for this is that Finland has been very prominent in driving the MyData model and thinking. Most people know MyData from the MyData whitepaper, which was funded by Finnish Ministry of Transport and Communication, and Finland also hosts the annual MyData Conference, which this year is on 30.8.-1.9.2017. This, in addition to Finnish government’s support towards MyData related development, has resulted in Finland becoming the thought leader regarding personal data in the world.
MyData is a Nordic model for human-centered personal data management and processing. It is a fundamental change in how we view and use our personal data. I like to think MyData as an ideology, driven by few main principles
1. Human centric control and privacy
2. Usable & accessible data
3. Open business environment
These principles then enable creation of new types of personal data ecosystems. The now world famous MyData whitepaper describes MyData architecture with four parties, where individuals uses a “MyData operator” to give consent to services for using their data, which resides in a data source (see picture).
There’s a lot of talking, but little walking
Even though MyData has gained a lot of attention, it has lived in the “awareness” phase for the past years. No major breakthroughs have happened, although there are few pilots. MyData is still very relevant, and the number of supporting organizations is constantly growing. However the real world use cases seem to be lacking. What MyData needs now, is practice. It’s time to turn the talk into walk and leverage the full potential of MyData.
The rise of self-sovereign identity
Self-sovereign identity is a new term, coined sometime during 2015-2016 (according to Google term search) in the brains of the internet identity pioneers. One of the earliest blog posts on the subject is by a long time internet cryptography and identity pioneer, Christopher Allen. In his blog post “The Path to Self-Sovereign Identity” he describes self-sovereign identity as the latest advancement of identity since the advent of internet. Three previous stages being centralized identity (think certificate authorities), federated identity (single-sign on systems, like social media logins) and user-centric identity (original goal of OpenID, never fully realized).
Digital identity is constantly evolving. Right now, most people are familiar with Facebook Connect, LinkedIn login, and other types of social media sign-on systems, which are mostly federated logins, but include some user-centric control over the identity. However, they are still very much tied with the companies supplying the platform. And your accounts are essentially in their control, not yours.
So, what is this self-sovereign identity?
Self-sovereign identity is a concept, where an individual is able to control his/her identity attributes (that is, the pieces of personal data), no matter where they reside in. The control over the identity attributes is asserted by creating trust relationship between the data owner (individual) and the holder (e.g. organization). These identity attributes (aka “claims”) can then be freely used and distributed by the owner.
This means that I can request control over my personal data (for example, my health records) and then distribute that data at will, in a digital format. Sound familiar? Self-sovereign identity actually resembles the MyData model in the whitepaper quite a lot.
Why now is the time for self-sovereign identity?
Interest in self-sovereign identities have taken a boost mainly because of convergence of few things:
1. Rise of Blockchain and Distributed Ledger technologies enable creation of truly self-sovereign and open solutions
2. Amount of data generated by humans is growing exponentially (see some predictions here)
3. The value of personal data is being realized (see BCG’s study from 2012)
4. Growing number of personal data hacks are constantly putting people and organizations at risk
5. GDPR (upcoming EU regulation) requirements are making companies rethink their position with personal data. In fact, because of the increased hacks and risks of EU fines, some companies are considering getting rid of this “toxic personal data”
All these things together take us to the brink of major transformation, where we (as individuals and organizations) need to think our approach to managing personal data.
For this transformation to happen, we need to have multiple levels of change, which we’re already seeing that happening in the world. Technology is driving change through distributed ledgers, new distributed governance models are being founded, even legislation is being changed to recognize blockchain smart contracts.
Nice preach! Where’s the practice?
New self-sovereign identity systems, like Sovrin & UPort have lately been released and pave the way for the real transformation. But that transformation only happens when we start to pilot new ways of handling personal data, and take bold actions in taking MyData into practice. This will in turn start the process of developing new behavioral patterns between organizations and individuals.
Tieto recognizes self-sovereign identity as a key factor in driving MyData into practice and bringing forth the next era of digital identity. We are soon announcing some exciting actions we’re going to take, in order to bring self-sovereign identity to Nordics!
Interested in hearing more about self-sovereign identity, Sovrin or Blockchain Solutions? Contact us!