How Data Informs Business

Firms and Data

Introduction

Data is becoming crucial to the competitiveness of nations, regions, cities, and companies. This chapter highlights the implications of the transition to a data-driven economy for firms, especially in emerging markets. The emergence of the data economy has stimulated development of new business models and is transforming many of the key functions of private sector firms, including product development, customer relationships, supply chains, and core enterprise functions such as marketing, human resources, and finance. Governments in emerging markets are keen to explore and implement the right policies to allow private sectors to enhance competitiveness and benefit from new opportunities in the digital economy while mitigating risks.

The chapter examines the impact of data on firms from three distinct perspectives. The first part of the chapter introduces an assessment framework for digital platforms­ – a dominant aspect of data economies­ – and features case studies of selected digital platforms in emerging markets. Next, the chapter looks at how data affects firms, highlighting the tension between data as an equalizer, but also as a key competitive differentiator. Finally, the chapter looks at how data affects small and medium enterprises (SMEs)­ – and their specific needs.

Source: World Bank, https://openknowledge.worldbank.org/handle/10986/30437
This work is licensed under a Creative Commons Attribution 3.0 IGO License.

Digital Platforms

Defining digital platforms

Digital platforms might be defined as "multisided marketplaces with business models that enable producers and users to create value together by interacting with each other", and by facilitating matching, searching, exchanging, transactions, and so on. Marketplaces rely on information to adjust prices and impose rational order, but information is frequently uneven and incomplete. Digital platforms offer advantages over traditional marketplaces through scale and network effects that increase the information flow and interaction between participants. Participants derive benefits from communications networks that increase as others join the system. For marketplaces that bring together suppliers (or advertisers) and users (or information consumers), economies of scale become even more important. Multisided platforms benefit from positive network externalities, as the utility of each side increases as participants increase on the other side. For example, the utility of a car-sharing platform for each side increases with the increase of drivers and riders. The scale effects are not uniformly positive, however, and policy makers must recognize risks such as dominance and anticompetitive behavior.

Digital platform enablers

Digital platforms typically combine physical (and virtual) and behavioral (and market) enablers. Physical enablers (figure 5.1) include digital infrastructure (fixed and mobile broadband networks), smartphones, payment tools, geolocation, cloud-based services, security, and ancillary enablers (such as distribution, logistics, and intermediary goods). Behavioral or market enablers (figure 5.2) nudge consumers toward buying goods or accessing services in a peer-to-peer economy in which platforms increasingly mediate interactions, typically coordinated by peer-based trust relationships. This development is sometimes called collaborative consumption.

Figure 5.1 Physical and virtual enablers

Figure 5.2 Market and behavioral enablers

Platform enablers have important implications for economic development. Emerging and transitioning economies often lack pervasive broadband internet infrastructure, and present wide disparities in internet access among population groups (these differences relate to, among other things, urban versus rural, gender, age, education, and income differences). Equally important divides affect access to devices such as smartphones and laptops. Overcoming the digital divide is thus essential to developing digital platforms in emerging markets. In the Middle East and North Africa region, the ride-hailing platform Careem emphasizes the social value proposition of not only creating jobs, but fostering social value by allowing drivers to become micro-entrepreneurs, including by equipping them with smartphones.

The development of the physical and virtual enablers of digital platforms in developing countries may require dedicated policies, technical assistance, and investment. Digital infrastructure may also require a combination of telecommunication market liberalization, regulatory reform, and better targeting of subsidies to extend the commercial viability of broadband infrastructure or public-private partnerships. Increasingly, as shown in chapter 3, these physical enablers are software based, such as artificial intelligence, the Internet of Things (IoT), machine learning, and autonomous vehicles. They may also require harmonized data protection and privacy standards to facilitate the development of cross- border operations. The development of technology enablers has been crucially important, for instance, for Alibaba's ecosystem development to bring together the trading platform, payment system, and logistics network that forms the basis for its e-commerce business platform (see figure 5.3).

Figure 5.3 Geographical concentration of digital multinational enterprises with revenue in excess of US$1 billion, by region, 2016

The study of the market and behavioral enablers of digital platforms constitutes a research agenda by itself. In many cases, participant behavior and market development in emerging markets closely mirror that in high-income markets. For example, digital platforms to match labor supply and demand are popular in emerging markets: the Philippines, the Russian Federation, and Ukraine are among the top 10 countries providing skilled labor on Upworks' digital platform. Alibaba is a serious global competitor for eBay and Amazon, and Alipay's transactions are a multiple of those of Paypal.

But ability to scale up and reach critical mass is limited to a relatively few emerging markets. Plus, platforms often exclude many economic actors, such as consumers outside the reach of mobile broadband coverage or without smartphones and SMEs without access to technology. SME owners can be encouraged to participate in platforms through tax breaks or subsidies or be given training or access to technology. Incentives to global platforms to localize businesses by partnering with local businesses could also be an option, as shown, for example, by the Uber-Yandex agreement in Russia.

Business Models for Digital Platforms

Emerging business models for multisided platforms are based around the bargaining power of different participants to drive revenues and organize dispersed information to make it available to market participants. By using platforms, firms can drastically slash transaction costs, creating new markets. By using social networks combined with such digital platforms, firms can leverage a "long tail" of market participants, that is a large number of customers with specific product preferences, or a large number of products that sell in small quantities. So-called long-tail effects on digital platforms give users more choice, enabling them to search for less common items or services from foreign countries, such as Indian music or Latin American cultural artifacts. The value to advertisers of capturing long-tail marketing data fosters marketplaces, such as Jumia in Africa (see box 5.1) and MercadoLibre in Latin America. Other differentiators may include price discrimination, delivery, geographic reach, and wholesale versus retail.

Platforms in emerging markets share many of the characteristics of business models encountered in high-income markets. Regional matching platforms like Laimoon.com (matching labor supply and demand in Arab countries) and Arabmatrimony.com seem to mirror the models, respectively, of Upworks and Match.com, taking cultural differences into account. Successful platform models that worked in advanced economies were also adopted by local platforms, as the case of Careem shows. Careem is a transport network company based in Dubai, with operations in 53 cities in the Middle East, North Africa, and South Asia. The company was valued at about US$1 billion as of 2017.

As platforms have evolved, four main business models have emerged for revenue:

• Commission-based revenue

• Subscription-based and service-based

• Advertisement-based

• Tertiary services developed based on the data from the network (for example, supplier financing that many platforms provide to their sellers based on their transaction history on the platform)

Täuscher and Laudien introduce a taxonomy of platform business models in which, in addition to the four revenue models, other dimensions of the revenue source are also captured (such as price discrimination and source), in addition to the delivery dimensions (consumer to consumer, business to business, business to consumer, global, regional, and local, among others). Digital platforms may be primarily wholesale (business to business) or retail (business to consumer). Platforms may mutate the scope and breadth (reach, timeliness) of markets or lower entry barriers (or both), thereby affecting competitive dynamics.

Organizational science has introduced additional elements, adding new dimensions to this taxonomy, including the degree of standardization of output (product) and (input) and how they shape different organizational mechanisms.

The biggest obstacle to the development of certain digital platform models is the relative underdevelopment of the advertising industry in many emerging markets. This factor may limit the ability of platforms in those markets to subsidize a side of the business and limit the range of possible business models. One outcome is to encourage the development of "transactional" models to the detriment of commission-based platforms. A real estate owner in a high-income country, for instance, can choose whether to list a property on a pure, local marketplace (whose business model is purely advertising based) or to use a foreign, commission-based platform like Airbnb. But absent a mature advertising market, the consumer may have a more limited choice of platforms.

Digital Platform Dynamics

Platform dynamics have business and policy implications. The dominance of a platform, arising from network effects (winner-takes-all), raises competition concerns, although some argue that dominance can benefit consumers through greater convenience. Often, the achievement of critical mass drives platform dynamics.

Some authors propose a system dynamics simulation model of platform competition, highlighting three cases. In the "chicken-and-egg" scenario, no platform achieves critical mass. In the "winner-takes-all" scenario, a vendor locks the participants into one dominant platform. The final scenario ­– "winner takes some" ­– is characterized by the "collaboration and competition scenario in which several platforms coexist in balanced competition".

Various models have focused on the conditions for multiple platforms to grow first, and then to coexist in a competitive market. Both considerations matter in developing countries, and have policy and regulatory implications. Network effects, "critical mass" factors, and reversibility of participation create entry barriers and are likely to be more pronounced in developing countries.

Competition among multisided platforms depends on several factors, including network effects, and "single-homing" versus "multi-homing" scenarios. If an agent uses only one platform, the agent is said to be single-homing; if the agent uses multiple multisided platforms, the agent is multi-homing. Network effects may lead to situations in which a proprietary platform may be socially desirable, as it partially internalizes two-sided indirect network effects and direct competitive effects on the producer side. Ruutu, Casey, and Kotivirta indicate that "if platform adopters are able to react quickly, achieving a critical mass may be difficult because the platform firms cannot accumulate enough resources for sufficient platform development".

Competitive dynamics can be altered by "platform envelopment," a strategy through which an entrant platform can rapidly gain market share by entering another platform market and harnessing its network effects by offering a multiplatform bundle. An example would be Google's offer of various services around its core search platform, including Google Translate (translation software), Google Checkout (online payment), Chrome (browsing), and Google Docs (productivity software). The services are often offered free of charge to the user (that is, paid by advertising), whereas other competitive service offerings may require payment.

The initial growth phase can be accelerated through open interfaces (that reinforce cross-side network effects), as well as by the ability to transfer user data among competing platforms. These tactics may lead to the envelopment of local service offerings in developing countries. They thus raise competition policy concerns as local companies in these countries often lack economies of scale to respond in kind. This may explain, in part, why the largest internet companies are so clustered in the United States and Asia (see figure 5.3).

Different dynamics can emerge and mutate over time. In the U.S. market for online platforms for books, for example, eBay acquired half.com, eliminating its most direct competitor. However, it did not prevent other platforms, notably Amazon .com (new and second-hand books, and a wide range of other products and services), from dominating the same market segment, deploying a different business model.

Will competition among platforms in emerging markets follow a similar dynamic? The choices may be more limited.

Network effects and critical mass considerations may skew competition toward foreign platforms. The huge size of the domestic Chinese e-commerce market was a factor leading to the emergence of Alibaba and Alipay as global leaders, while the ability to cater to domestic demand allowed Yandex to retain two-thirds of the addressable market in Russia. But few developing countries have such economies of scale, and there are many cases in which local platforms do not emerge as winners. As noted, the fear of a winner-takes-all scenario dominated by foreign platforms seems to be a major concern in many markets.

Partnership is another business strategy undertaken by digital platforms, especially in emerging markets. Incentives for global platforms to localize their businesses by partnering with a local business partner can also be an option. In China, Uber decided a better strategy was to sell out to its local partner, Didi Chuxing, and in Southeast Asia it is selling to Grab in exchange for a stake in the combined company. The common shareholding in all three companies of Japan's Softbank, now the Visions Fund, seems to have played a part here.

Access to user data is of vital value for online platforms to keep advertisers onboard and is a crucial tool for competing. Owning the end customer's data is akin to owning the market. This is one reason traditional freight forwarders are being squeezed by vertically integrated e-commerce companies. Online platforms have an interest in locking out rivals that may threaten their market dominance. This makes data portability ­– the ability to transfer a user's data from one platform to another ­– a critical policy issue. Data portability benefits users and secondary players in the market, but will most likely be opposed by the dominant players.

Digital platforms in developing countries

A study of digital platforms in emerging markets provides significant insights into business leaders and policy makers. Broadband and smartphone access will have a direct impact on network effects and platform diffusion; the maturity of the advertising market can exclude or boost advertising-based platform models; conversely, the maturity of digital payments, such as mobile money, in emerging markets may allow firms to determine the development of transaction-based models. The interplay of rapidly changing enabling conditions in emerging markets and rapidly changing business models (figure 5.4) will affect the three main drivers of platform dynamics: network effects, localization, and envelopment. To some extent, it will also determine whether winner-takes-some or winner-takes-all trends dominate.

Figure 5.4 A methodological approach to assessing digital platforms in emerging markets

Firms in the Data Economy

The Organisation for Economic Co-operation and Development (OECD), in its submission to a Group of Twenty conference, provides useful background about the opportunity of the data economy: "As the cost of data collection, storage and processing continues to decline dramatically, ever larger volumes of data will be generated from the IoT, smart devices, and autonomous machine-to-machine communications". This will require a new approach to thinking about infrastructure in the twenty-first century, with the definition expanded to encompass broadband networks, cloud computing, and data itself, which drives productivity growth.

In the United States, for instance, Brynjolfsson, Hitt, and Kim estimate that output and productivity in firms that adopt data-driven decision-making are 5 percent to 6 percent higher than what would be expected from their other investments in and use of information and communication technologies (ICTs). A study of 500 firms in the United Kingdom found that firms in the top quartile of online data use are 13 percent more productive than those in the bottom quartile. Overall, these firm-level studies suggest that firms' use of data and data analytics raises labor productivity faster, by 5 percent to 10 percent.

Other studies identify several characteristics of digital business that create "dynamic competition and high consumer surplus". Many of these characteristics depend on data as their fundamental lever.

Product and service design

In many industries, data has become the new product, rather than the physical goods that firms traditionally sold. When you buy a custom-fitted suit, you often become an unwitting participant in a data economy in which "clothing companies now see body measurements (data) as one of their most prized currencies". Stitch Fix, for example, which had nearly US$1 billion in sales last year, is really a data company in disguise (it gathers dozens of data points on each customer, including weight, jobs, and past pregnancies). Similarly, the moment you buy a car, you start making money for companies like Otonomo, which sells driving data to third parties. The company has raised US$40 million in investments designed to "move from the age of data mobilization, to the age of data monetization". And finally, when the world's top-ranked tennis player Simona Halep fell out with her clothing sponsor before the Australian Open "she took to the internet to find a design she liked, then ordered it from a seamstress in China. Twentyfour hours later, it was in her hands".

Take a simple example from daily life: smartphone speech recognition can help write text messages three times faster than human typing, a dramatic improvement over just a few years ago when speech recognition was considered an irritant (or an amusing novelty at best). The availability of more and better data (that feeds artificial intelligence) is the single most important reason for this enhancement, and firms that can successfully utilize the ever-increasing amounts of data at their disposal are beginning to separate themselves from their competitors by delivering new products and services that both depend on and generate vast amounts of data.

If data is to be the new oil, then firms must invest heavily in data refineries and new capabilities (see chapter 2). In 2016, Amazon, Alphabet, and Microsoft together spent nearly US$32 billion in capital expenditure and capital leases, up by 22 percent from the previous year. Firms are also investing significantly in developing analytical tools that can make sense of this data in real time and convert this data into artificial intelligence or "cognitive insights". Unfortunately, as the scale of investments required to run data-driven businesses has grown substantially, the marketplace has begun to tilt in favor of large-scale incumbents. Other reports have likewise concluded that the rise of big digital businesses may be squelching competition by using the power of their (data-driven) platforms.

This uneven growth between startups and incumbents is not limited to developed countries and there are still very few examples of scaled up data-driven firms in the developing world (see figure 5.3). Firms in the developing world face several additional data-specific challenges that create a tilted field in the marketplace:

• Low "datafication" of the economy (for instance, government records and archives may not be digitized)

• Limited data talent pool

• Restrictive data policies (localization, poorly developed privacy and consumer protection laws)

• Underdeveloped data ecosystem

• Generally, a higher unit price for data relative to affordability (see map 5.1)

Map 5.1 Average price of 1 gigabyte of mobile data per month, by country, 2016

Data-driven supply chains

Supply chains are a vital way for companies to create value and deliver products and services. Technology-based supply chain innovation initially gave firms such as Walmart, which invested heavily in radio frequency identification chip technology, tremendous competitive advantage. But firms like Amazon, which have mastered data and digital innovation, are now showing the way. Koçoƥlu et al. describe integration with customers, integration with suppliers, and interorganizational integration as the key value drivers in supply chain integration. Information or data sharing (with customers, suppliers, internal functions, and across organizations) is a core component across the entire supply chain and is being remade significantly as businesses digitalize ever more.

That said, McKinsey Global Institute found that as companies have begun to digitize products and services rapidly, supply chain digitization has lagged, (yet the same firms expect the digitization of supply chains to have the highest impact on revenue in the near future). Progress has been especially slow in the management of supply chain data, according to McKinsey Global Institute. Challenges include the development of data infrastructure to manage vast amounts of data (what Ernst and Young called the "out-of-control data growth trap"), the ability to link disparate sources of data, and the development and utilization of tools to analyze data productively. These challenges have been heightened by the growth of data-fueled disruptive technologies ­– such as the IoT, artificial intelligence, robotics, and blockchain ­– that are fast becoming essential elements of supply chain management technology but are frequently beyond the capabilities of SMEs and their customers. Digital and data technologies that have integrated millions of firms and their suppliers in common global value chains are also gradually beginning to separate them.

Amazon is an illustrative example of a firm that has used its mastery of supply chain data to distance itself from competitors but also begin to erode the space of its suppliers and sellers on the platform. With its granular visibility into the operations of both the buyers and sellers on the platform, Amazon has realized that it can manufacture and distribute many products on its platform cheaper than other suppliers can (via the Amazon Basics program). Streamlining of the manufacturing, distribution, and retail of these products, combined with its mammoth scale and superior data smarts, gives Amazon tremendous competitive advantage. Can its competitors without access to any equivalent market data, such as Jumia (see box 5.1), compete?

Marketing and customer relationship management

Customer acquisition, management, and retention are core functions of business and digital and data technologies are transforming this landscape. In many ways, data and digital are the ultimate equalizing force. Firms using digital tools and platforms theoretically have equal access to customers around the world (local laws permitting), can use communication tools and platforms to stay engaged online in real time, and take advantage of a variety of payment systems and platforms plus logistics services to deliver products and services worldwide. This is how Uber was able to reach riders around the world, for instance, and how Instagram became a global rage. If these firms could acquire millions (and even billions) of customers and scale globally quickly, then so can other firms if they can create appropriate products and services.

There is an element of truth to this theory, but data confers several advantages on incumbents (indeed, it maybe argued that several disruptors succeeded because the incumbents were not yet digitally or data savvy). Some of these examples include the following:

• Personalization. Incumbent firms can often deliver more personalized products and services to customers given the vast amount of data they have collected about them.

• Predictive analytics. Firms can use their vast data troves to predict the movies you like, the books you are likely to buy, and your likelihood of trying rival products and services. This gives them a significant advantage against competition.

• Prescriptive analytics. Data-smart firms are able to react to events in real time to resolve customer management issues (for instance, vouchers to compensate for a delayed flight, rather than a routine customer survey, for instance).

Data-poor firms are at an inherent disadvantage in these scenarios.

SMEs in the Data Economy

'Although the digital economy is increasingly dominated by a handful of tech majors, a multitude of innovative SMEs nevertheless are the drivers of the mobile and digital industries, particularly in newly emerging market segments such as data for self-driving vehicles or mobile applications. Opportunity exists therefore for tech-based SMEs to play a major role in the data-driven economy. The mobile ecosystem in Nigeria, for instance, was worth an estimated US$8.3 billion in 2017, and the digital industry may contribute 7 percent of Mali's GDP.

Although the digital economy is increasingly dominated by a handful of tech majors, a multitude of innovative SMEs nevertheless are the drivers of the mobile and digital industries, particularly in newly emerging market segments such as data for self-driving vehicles or mobile applications. Opportunity exists therefore for tech-based SMEs to play a major role in the data-driven economy. The mobile ecosystem in Nigeria, for instance, was worth an estimated US$8.3 billion in 2017, and the d igital industry may contribute 7 percent of Mali's GDP.

SME advantages, drivers, and constraints of data adoption

SMEs try to absorb new technologies and innovation, but are often constrained by limited availability of skilled workers, particularly in emerging markets, in turn limiting potential for growth and job creation. Starting in the 1990s, many SMEs in developing countries began to adopt modern ICTs, increasing profitability and productivity. In addition, ICT made training and education more accessible for workers. This could eventually raise the employability of low-skilled workers.

SMEs are characterized by potentially advantageous features that distinguish them from other businesses. Their relatively small market size allows them to adapt quicker to changing market conditions, and they are less likely to have stranded assets, both of which increase their chances of success. Increasing digitization dramatically reduces transaction costs for collecting information, communication, and data controlling. Through easier access to information and the use of complex data analytics, firms may analyze the interdependency and buying patterns of users to pursue targeted advertisement, and adjust their inventory accordingly. SMEs can exploit low entry barriers to benefit from the potential disruption of data on existing models. Moreover, SMEs' digital technology adoption barriers can be lowered by the transition from hard infrastructure investments to platform-based digital services. The increasing availability and range of cloud-based tools for enterprise management is particularly relevant to SMEs.

Data analytics allows firms to establish new forms of customer engagement, exploit digital distribution channels, and serve new customers. Data analytics, combined with voice and vision recognition, enables firms to complement or substitute for human labor with machines (such as automated call answering and recording to reduce call center employees). Leveraging data can also affect competition, with SMEs transforming processes, facilitating innovation, and addressing key challenges. Access to data can revolutionize decision-making with enhanced visibility of firm operations and improved performance measurement techniques.

Innovative data-driven business models for SMEs

The use of alternative data to build credit histories by scanning users' mobile phones for their history or credit charges, for instance, is spurring new business models for SMEs to provide credit to the underserved. Even in sectors unrelated to financial products and services, firms are developing new data-centric business lines and alternative revenue streams out of the data they collect from customers. Firms in Sub-Saharan Africa, such as M-KOPA Solar (Kenya), Off Grid Electric (Tanzania), PEG Africa (Ghana), and BBOXX (Côte d'Ivoire), have not only revolutionized energy access, but are also starting to support financial inclusion. Through “pay-as-you-glow” business models, these providers allow low-income, mostly rural consumers to have solar energy at home. On the basis of the data collected on the timeliness of repayments they accumulate for the home solar systems they offer, these energy companies can allow customers to build a credit history and thus access credit and loans.

However, challenges to the use of data and data analytics exist, particularly in emerging markets, which are more acute for SMEs than for larger firms, as discussed below.

First is financial and access constraints. SMEs tend to have limited access to financial resources, which makes it hard to invest in new technologies and maintain them. Limited financial resources also cause SMEs to lack a formal risk management practice, even for those that do have an information technology department. In addition, SMEs in emerging markets often face obstacles accessing data relevant to their business. Larger firms gain access to that same data, often owned by the government, or are able to pay for it from private sources, thanks to larger financial resources or networks of contacts not available to SMEs.

Second is limited awareness. SMEs also tend to lack awareness of the opportunities offered by digitized business and operations, which affects their ability to adapt and compete in a fast-evolving business environment. A 2014 survey among 1,000 SMEs in Germany revealed that for 70 percent of enterprises with annual revenue below €500 million, the digitization of processes was still seen as irrelevant. Making the situation worse is that many available ICT products and information do not necessarily take the specific needs of SMEs into account

Third, human capital limitations are a constraint. Investments in new technologies often require investments in complementary knowledge-based assets. SMEs frequently lack the skilled people to benefit from new digital technologies, the resources to train these workers, or the management that can help them make the most of the new technologies. The lack of availability of skilled labor inhibits the adoption of data analytics, complex data integration, and model building in SMEs, especially in developing countries. That SMEs in emerging markets have a harder time competing for scarce skilled labor against larger firms, both local and foreign, compounds this challenge.

Fourth, new data sources may require remodeling of existing systems, such as SME warehouse systems. This is particularly true considering the volume and variety of structured and unstructured data becoming available from different sources, including social media. Organizational challenges also exist, such as internal resistance to adopting data analytics as a new way of doing business. On the other hand, wider access to different tools can help SMEs “turn digital” and help mitigate the challenges SMEs face.

Fifth, infrastructure constrains many SMEs in emerging markets because of challenges in accessibility, affordability, and quality of connectivity, particularly outside major urban centers (map 5.1). SMEs scattered across territories, particularly microenterprises and entrepreneurs, face a digital divide that could hinder the benefits of data for SMEs.

Sixth, lack of trust. This is mainly due to the increased digital security risks perceived by potential SME adopters, which is partly also the result of the increasing sophistication of digital security threats. In addition, the lack of data governance frameworks in many countries, or a lack of awareness of them or an understanding of how to comply, affects the ability of SMEs to adopt digital-data-generating tools. These frameworks should include privacy policies, intellectual property, data security, and access rights. Emergent practices also risk reducing confidence in the digital economy and the incentives to adopt ICT. Discrimination enabled by data analytics, based on profiling customers by where they live, for example, may create greater efficiencies and innovation but also limit individual freedom. On the other hand, disruptive technologies that tackle data governance aspects, such as distributed ledger technologies like blockchain, are emerging rapidly, facilitating inclusion. These could ease SME access to digital payments, loans, supply chains, land titles, contracts, or even ID.

Policies for SMEs in the data-driven economy

In an interconnected world, access to and use of digital technologies and data tools has become key to SME competitiveness, affecting the very chances to survive and develop. Cloud computing, in particular, allows smaller firms to overcome the barriers associated with the high fixed costs of ICT investment, and can help smaller firms rapidly scale up, providing high-power computing resources flexibly via a pay-as-you-go model.

SMEs tend to struggle to navigate the web of regulations and policies pertaining to data and understanding the legal and administrative frameworks governing cross-border data flows, data protection, data privacy, and personal data, to name a few. Data regulatory frameworks are complex, and many SMEs struggle to find the time and resources to fully comprehend their implications. SMEs may thus limit their utilization of data.

Evidence shows that the lack of appropriate (open) standards and fear of vendor lock-in, often due to proprietary solutions, can be strong barriers to adoption. This is particularly true for SMEs, which often lack the negotiating power and know-how about advanced ICTs such as cloud computing, data analytics, and the IoT.

Recent analysis suggests that small firms are often much more affected by poorly designed regulatory frameworks than large and incumbent firms, limiting their growth and reducing overall business dynamism. Policy action to boost the growth prospects of start-ups and SMEs is thus essential. The available data also point to systematic differences in the adoption of other complex digital technologies across firms.

The following policies can help SMEs benefit from the opportunities of the data-driven economy:

• Implement a national digital transformation strategy for SMEs. Enhancing competition in broadband internet to increase speed and reduce costs, promoting nationwide cloud service markets, or reducing import duties and taxes on information technology equipment are national policies with widespread impact that are particularly likely to benefit SMEs. In addition, specific strategic choices need to address the needs of SMEs. For example, digital public procurement has caused an increase of participation of digital SMEs. Awareness and technical training may be necessary to enable compliance with data policies and fully grasp the benefits of big data. A national strategy should also implement awareness-raising initiatives for SMEs to better understand the value of upgrading their technology and fully exploit the potential of digital data. Such an initiative could include, as appropriate, capacity-building programs specifically directed to SMEs.

• Encourage technology adoption and complementary investments. It is crucial not only to facilitate the access of SMEs to the technology itself, but also to help them make the necessary complementary investments, for example, in process and product innovation and in ICT services or in skills. SME engagement with competency centers or technology diffusion extension services can also be helpful.

• Implement data security strategies, with SMEs as a specific segment. Data security strategies often look just at the critical information infrastructure, but they should also address the specific needs of SMEs by providing them with practical guidance and the appropriate incentives for adopting good practices. For example, interest is increasing in tailored standards and certification schemes developed by or in cooperation with business and in leveraging digital risk.Implement data security strategies, with SMEs as a specific segment. Data security strategies often look just at the critical information infrastructure, but they should also address the specific needs of SMEs by providing them with practical guidance and the appropriate incentives for adopting good practices. For example, interest is increasing in tailored standards and certification schemes developed by or in cooperation with business and in leveraging digital risk.

• Implement open data for business initiatives. Some open government data initiatives focus on transparency and accountability and often tend to neglect its economic value. Disproportionate benefits exist from open data to SMEs, sowing the seeds of further growth and innovation. Even when government data does not have a price tag, the availability of data can depend on “who you are and who you know”; often, the relevant official must be persuaded to supply data and sometimes a personal visit to the office is necessary. As such, open data democratizes access and levels the field with respect to incumbents with established relationships and resources. In 2017, the World Bank's Open Data for Business assessment in Kenya found that small businesses could benefit from the release of government procurement, budget, and geospatial data, and that this would help address structural disadvantages in information access relative to larger, more established, companies.

• Promote data cooperatives among SMEs and value chains. These collaborative pools of data can facilitate access and use, and pave the way for moving beyond simply sharing information to a livelier exchange across public-private boundaries.

Looking Ahead

Data inequalities, as noted, increasingly dominate in global economies, but they need not be permanent. Available policy options, discussed further in chapter 6, include the following:

• Developing data infrastructure, though competitive market entry

• Closing the data talent gap

• Anticipating disruption, which may require, for instance, more frequent policy reviews and allowing new experimental approaches to flourish without pre-emptive regulation

• Anticipating disruption, which may require, for instance, more frequent policy reviews and allowing new experimental approaches to flourish without pre-emptive regulation

• Promoting data innovation and entrepreneurship

Develop data infrastructure

Recognition is growing within many governments that in the digital economy, as an infrastructure asset, data is on par with more traditional infrastructure like transport and public utilities. Indeed, stock exchanges place a much higher value on control of a customer's data than control of infrastructure (see chapter 1). Recent interest has

therefore been in crafting policy that recognizes data as an infrastructure asset. These government policies typically focus on management of the data assets (collection, access, reuse, sharing, preservation, security) and data governance (ownership, funding), though some also address storage (data localization, data center management). The same principles apply to private sector firms gearing up to develop data assets. In addition, governments need to facilitate the development of physical infrastructure to manage data from nontraditional sources that the current telecom infrastructure is not designed to support (IoT, for instance, or call data records).

Close the data talent gap

The shortage of data skills may be the most serious systemic factor holding back data-based innovation and productivity in several countries. Research suggests that 90 percent of jobs within developed economies already require a mea sure of digital and data skills, while less than one-third of the population possesses adequate skills. This is a gap that governments must close quickly. A few good practice examples include the Skills Plus program in Norway; the Tech Partnership (a network of employers focused on developing digital skills) and Doteveryone (an independent think tank focused on the digital society) in the United Kingdom; the Intel-backed "She Will Connect" initiative in Nigeria and Kenya; and the e-schools program in Estonia.

Count on disruption

The current wave of digital disruption has produced many winners that dominate the economic landscape (described by The Economist as "Big, Anti-competitive, Addictive and Damaging to Democracy" or BAADD). The disruptors may soon become the disrupted, however, especially as even newer types of data sources emerge and firms with next-wave data skills develop new products and services. Other threats include the disruption of the current advertising-based models, which may suffer if more restrictive data policies become the norm and data ownership is relitigated in different societies. Others have theorized that decentralized technologies like blockchain might ultimately be the death knell for firms like Google or Facebook. None of this is inevitable and it would be foolish to count the incumbents out, but the age of disruption is not over.

Policies for the Data Economy

Introduction

As seen throughout this report, data is at the heart of the digital economy – it is the raw material for the development of new products and services and refinement of existing ones. It is also a new asset class, worth billions of dollars. Data is also a policy area that has been evolving very rapidly in the past few years because of the rapid changes in technologies and their effects on relevant data policies. Policy makers struggle to keep up, despite efforts to issue technology-neutral data policy frameworks. As nontraditional sources of data become more common, and data is used in entirely novel ways, questions arise about who owns what data, who can do what with it, and what protections are afforded to whom.

One overarching message is that data policies can achieve greater impact using a dynamic ecosystem approach. Governments need to play a multidimensional role and create new partnerships with a wide range of stakeholders to achieve them. This chapter discusses four dimensions of this question.

First, the chapter briefly reviews policies for building strong data infrastructure to support making data available, including those for management of data assets and data governance. It focuses on open data and principles for data sharing between government, businesses, and individuals.

Second, the chapter considers policies geared toward building consumer trust and principles for setting limits on what can be done with data, such as data protection and privacy (including cross-border data flows and data localization) and data security. Trust encourages governments, the private sector, and users to innovate and benefit from the data revolution.

Third, data security is examined. The lack of a secure and trusted environment could delay both the adoption of data-enabled services and products and, potentially, their offering by the private sector. This could put emerging market economies at a disadvantage in participation in global innovation, educational, and commercial networks. Finally, the chapter covers complementary policies that facilitate building a data economy. Those include policies to support innovation, and those that help build digital skills and entrepreneurship.

As a rapidly evolving area of policy, the examples presented here focus on recent changes. Many come from the European Union (EU), as the European Commission (EC) is moving faster and farther than most in this area. The potential ease of transferring data, including through accessing websites across borders, gives the standards an international dimension (figure 6.1). Thus, new regulations such as the General Data Protection Regulation (GDPR) are of interest for the principles they espouse and for the practical issues they raise for anyone digitally interacting with them, including developing countries.

Figure 6.1 A framework for data policies

Policies for Building Data as an Infrastructure Asset

Data as infrastructure has recently become a prominent topic for discussion in policy circles. Recognition is growing within many governments that, in the digital economy, data is a critical new infrastructure asset that enables new, often more efficient and inclusive delivery of other activities, particularly services. The value of the data and the potential for use expands with quantity and quality. Interest has surged in crafting policies to support wider use of data, while also recognizing the new risks and challenges it poses. This first section looks at policies to expand the sharing of data and the next looks at how to balance that with addressing concerns about privacy and security.

Greater access to data also has beneficial spillovers, and data can be used and reused to open up significant growth opportunities or to generate benefits across society in ways unforeseen when the data was created. The Organisation for Economic Co-operation and Development (OECD) therefore recommends that policy makers aim for an innovation policy mix that encourages investments in data (its collection, curation, and reuse), while addressing the low appropriation of returns to encourage data sharing. This calls for ensuring a relevant legal framework exists, with policies aiming for the extensive sharing, use, and development of public data sources and research data infrastructure. Policies governing business-to-business and business-to-government data also need to encourage appropriate sharing of data, spurring innovation while avoiding stifling competition.

Governments increasingly recognize government data as a strategic resource (the data management policy of Qatar's Ministry of Information and Communications Technology, for instance, explicitly identifies it as such). The New Zealand data and information management principles provide a useful set of principles stating that information should be open, readily available, well managed, reasonably priced, and reusable, unless there are necessary reasons for its protection. Personal and classified information will remain protected. Government data and information should also be trusted and authoritative.

In supporting strong data infrastructure, governments should consider policies focused both on management of data assets and on data governance. The next section considers these issues for three types of data sharing – the reuse of certain government data, business-to-business data, and business-to-government data.

Policies on the reuse of public sector information

Many now recognize public data in user-friendly formats freely available online for anyone to use and for any purpose as a major resource to aid economic growth. While social media, companies, and non-government organizations can all be sources of open data, the term is usually applied to data that comes from government and government-supported institutions – open government data. The data governments collect or generate, when freely available, is more than just a tool to hold governments accountable. It also drives innovation that can help launch new businesses, optimize existing companies' operations, create jobs, and improve the climate for foreign investment. Increased availability of data can fuel the private sector through access to new types of public and publicly funded data, including data held by utility companies and the transport sector, and research data.

The benefits connected to reusable public data, especially open government data, are diverse and yet largely untapped. Positive outcomes range from greater transparency, efficiency, and economic growth to broader social welfare. Although some countries are applying the "open-by-default" principle to public data sharing policies, particularly advanced economies, this does not imply that all data sets should be made available to the public. When thinking of open data policies, governments can consider that the same limits apply to open data as to access to information. In other words, the protection of privacy, personal data, or national security are common limits. In addition, for governments just beginning to open their data, opening certain data sets over others holds more potential value. Geospatial data, or data on weather, transport, and roads, can be particularly critical, and among the first any government should consider opening.

The Open Data Charter sets out six principles developed in 2015 by governments, civil society, and experts around the world to represent a globally agreed-on set of aspirational norms for how to publish data (table 6.1). So far, 57 national and local governments have adopted it for the development of open data policies. However, a vast amount of public information is still made available (if at all) in non-user-friendly formats (that is PDFs and JPEG), making this data suboptimal for creating value-added services and products.

Table 6.1 Open data principles

	1. Open by default This can represent a real shift in how governments operate and how they interact with citizens. The presumption is that governments need to justify data that is kept closed, for example, for security or data protection. To make this work, citizens must also feel confident that open data will not compromise their right to privacy
	2. Timely and comprehensive Open data is only valuable if it is still relevant. Getting information published quickly and in a comprehensive way is central to its potential for success. As much as possible, governments should provide data in its original, unmodified form. Maintaining historical data is important for keeping track of changes and evaluating the impact of reforms.
	3. Accessible and usable Ensuring data is machine readable and easy to find will make it go further. Portals are one way of achieving this. But it is also important to think about the user experience of those accessing data, including the file formats in which information is provided. Data should be free of charge, under an open license, for example, those developed by Creative Commons.
	4. Comparable and interoperable Data has a multiplier effect. The more quality data sets you have access to, and the easier it is for them to talk to each other, the more potential value you can get from them. Commonly agreed-upon data standards play a crucial role in making this happen.
	5. For improved governance and citizen engagement Open data has the capacity to let citizens (and others in government) have a better idea of what officials and politicians are doing. This transparency can improve public services and help hold governments to account.
	6. For inclusive development and innovation Finally, open data can help spur inclusive economic development. For example, greater access to data can make farming more efficient or it can be used to tackle climate change. Finally, we often think of open data as just about improving government performance, but a whole universe exists of entrepreneurs making money from open data.

Transparency has been an objective of many open data initiatives in the past decade, based on the principle that sunlight is the best disinfectant. The most important data sets that help enable the growth of an anticorruption culture have now become clearer: corporate registers, public contracting information, information on public officials, land registration information, government budget and spending data, and courts data are all helpful for this agenda. Moreover, the modalities of the publication of this data are also important. Data published in user-friendly, machine-readable formats helps governments fight corruption more effectively as it enables civil society to analyze and support government efforts to identify irregularities. Promotion of common standards, such as the Open Contracting Data Standard, enables sharing of toolsets so that local activists can build on the work of those in other jurisdictions.

Although anti-corruption has been an objective of many open data initiatives in the past decade, the supply of data alone is seldom sufficient – civil society actors who will use the data, as well as government willingness to respond, are needed; with these in place, a "virtuous circle" can be created in which some initial pressure leads to initial improvement and release of more data.

Data access policies are increasingly expanding to cover data generated by publicly funded research. "Open science" efforts rely on the premise that scientific information resulting from public funding should be accessible and reusable, with as few restrictions as possible. The opening of research processes, designs, workflows of dissemination of results, and methodologies can expand quality, avoid duplication, and facilitate reuse, which ultimately can help maximize the societal role of science. Research data policies need to ensure coherence and complementarity between open access and open data policies.

Governments can also promote business opportunities by mainstreaming the use of application programming interfaces (APIs) for more automatic access to dynamic data. This has important implications in supporting data ecosystems, as it saves costs and time to access data, facilitating practical usage. Sharing data through secure APIs can produce value added for data assets across the data value chain, particularly where potential is often unexploited by data holders. However, current public sector use of APIs is limited, particularly in developing countries – expanding use requires awareness raising and training.

Policies for private sector data as a driver of innovation and competitiveness

Data can be shared to support the creation of more than one new product, service, or production process.

This can allow companies to connect in different datasharing engagements with larger companies, small and medium enterprises (SMEs), and start-ups, or even the public sector. This way, data value can be maximized on several fronts simultaneously.

Data-sharing models have emerged to promote fair and competitive markets for products and services that rely on nonpersonal machine-generated data created, and to assist public agencies in accessing private sector data, to guide policy decisions or improve public services. The EC (2018) defines a set of key principles to be taken into account to improve data sharing for all parties involved, in business-to-business (B2B) and business-to-government situations. Access to and reuse of private sector data also constitute major cornerstones of a common data economy.

Business-to-business data sharing

An ever-increasing amount of data is created automatically by objects or processes based on disruptive technologies, such as sensors and the Internet of Things. These mainly relate to nonpersonal data generated by machines and open a new discussion and a dilemma around the privileged position of the producers of those devices in determining the access to and usage of the data they generate.

An EC public consultation with private sector stakeholders showed consensus that more B2B data sharing would be beneficial (EC 2018), where data can be reused without losing data quality or competitive advantage. The critical point in B2B data sharing might not rely on ownership, but on how data access is structured, managed, and approached. It could be argued that, at this initial stage of the development of data economies, it is too early for legislation requiring B2B data sharing. However, governments can consider non-regulatory measures to promote B2B data sharing:

• Fostering the adoption and use of APIs for easier and more systematic access to data. APIs can open up a data ecosystem of startups, exploiting unused data sets and supporting host organizations to adopt and create new data services and products. This has happened in the financial sector, leading to the emergence of financial technology ecosystems and new products and services that are already showing a relevant impact on banking the unbanked. The configuration and utilization of APIs requires the consideration of several principles: security, use of standards, user-friendliness, stability, and sustainability over time.

• Providing key guiding principles for good practices in B2B sharing agreements to ensure fair and competitive markets and to avoid excluding SMEs. Those crafted by the EC are an example, including (a) transparency, clearly identifying who will have access, to what type of data, at which level of detail, and usage purposes; (b) respect for the commercial interests of data holders and users; (c) ensuring undistorted competition when sharing sensitive data; and (d) minimizing data lock-in to enable data portability as much as possible.

• Promoting the development of trusted and secure platforms and privacy-minded analytical techniques to secure sharing of proprietary industrial data and personal data and ensure compliance with relevant legislation (data protection, IP rights, and so on). Data collaboratives have emerged as a potentially viable response to the data challenges companies face. They provide access to "verified" and useful data (open data or otherwise) from public and private sources, commercial models that reward data producers and consumers, legal and regulatory protections and guidance, data security infrastructure, network connectivity, analytics infrastructure, and literacy programs.

Business-to-government data sharing

Data that companies collect and produce – cellular data, utility companies, shared carpooling services (such as Uber), or social media – can lead to improved traffic, better urban planning, and so on. As with B2B data sharing, governments can consider using key principles to guide these exchanges. The EC has defined the following key principles: (a) proportionality in the use of private sector data justified by clear and demonstrable public interest – the cost and effort required for the supply and reuse of private sector data should be reasonable compared with the expected public benefits; (b) purpose limitation of business-to-government collaboration; (c) "do no harm" – protection of trade secrets and other commercially sensitive information; (d) conditions for data reuse; and (e) mitigate limitations of private sector data such as potential inherent bias – companies supplying the data should offer reasonable and proportionatedate support to help assess the quality of the data.

Data Policies for Building Trust

What is at stake

Policies ruling the data governance framework require as much attention as is given to the need for robust management of data infrastructure. This section focuses on data protection and privacy, as well as data security policies. Countries are struggling with how to build trust in the digital data economy. Policy considerations in many cases are similar to those posed by 'analog data'. Personal data, whether machine generated or not, is subject to the same privacy rules in Europe as analog, for instance. The World Intellectual Property Organization argues that no additional intellectual property protection should be awarded to machine-generated data beyond the traditional ones, nor should it be awarded less. A recent paper by the World Bank and the Consultative Group to Assist the Poor (CGAP), looking at the use of alternative data to build credit histories for greater financial inclusion, frames many policy questions that, at their core, do not vary much from those posed by the use of other kinds of data. If countries can tackle key aspects of trust policies, they will be well on their way to creating a better environment for the digital data economy.

Data protection and privacy are critical policy issues for the data economy and are key to building consumer trust. These are two separate but intertwined concepts. Data protection refers generally to the protection of personal data, though it may also be used in the context of commercially sensitive data. A common definition of personal data was cemented by the EU in its 95/46 Directive, as data that identifies a person, or allows such identification by cross-referencing it with other available data. Privacy is a broader concept, which has sometimes been defined as the right to be let alone, and it refers not only to data, although it partially covers it. What is at stake for either goes beyond keeping personal or embarrassing information from others. Big issues are how the data will be used and the risks that it will exclude people (such as, for example, by making people ineligible for insurance or credit) or be used for price discrimination, to suppress competition, or to manipulate people (such as, for example, through the crafting of news that could swing elections). This chapter uses 'data protection' and 'privacy' interchangeably.

Big data provides an example of the massive challenge to privacy in widespread use of technology. Big data preserves privacy by detaching information from individuals and repurposing it. However, by taking multiple, anonymized data sets and triangulating them, you can begin to break down that anonymity. For instance, take information about all the journeys that people have taken over the past year from a taxi service. This data alone is not necessarily sensitive, but if you combine it with venue information and social media, you could conceivably make assumptions about an individual who ended or began journeys at a known lesbian, gay, bisexual, and transgender (LGBT) destination. In countries where this is condemned by law, this information could result in people being sent to prison or worse.

The struggle between the need to protect privacy and allowing big data to continue to improve the way we live without quashing innovation is unlikely to be resolved easily. It remains to be seen how effective new laws, such as the GDPR, will be in achieving either of these aims. One certainty is that data production will not slow down and neither will the development of new ways to use it – legislators face an uphill battle to keep pace.

Trends in principles in protecting data privacy

Data protection laws have been in place for a while, with privacy rights protected as early as in ancient Roman times. Even though the right to privacy was not recognized as such by Roman law, several privacy violations, such as the invasion of the sanctity of one's home, were covered under the law. However, the numerous issues brought up by the sheer volume of data that can be collected about a person through online personas and questions about who can do what with those data, or who 'owns' that data, have brought privacy concerns to the forefront of the news and therefore to the desks of policy makers.

Technological developments are pushing policy makers to either amend existing privacy legislation or pass new legislation. The EU 95/46 Directive was replaced in May 2018 by the GDPR. Even international standards, such as the OECD Privacy Guidelines, or the APEC Privacy Framework, were recently revised or expanded to accommodate these developments.

The GDPR is likely to have a trickle-down effect as other countries revise data protection legislation, and it is already having extraterritorial reach in private sector behavior. Consumers around the world are getting notices of revised privacy policies by global companies in compliance with the GDPR, and some content websites outside Europe have refused access to European consumers because they could not ensure compliance with the GDPR.

Among the regulatory trends in the privacy space, the more salient are focused on a risk-based approach to compliance and on proactive measures to protect privacy, as opposed to measures in reaction to a breach. 'Privacy-by-design' standards require companies to embed technological measures protecting privacy in their product and service design, for instance, to ensure anonymity of users. The concept of privacy by design was developed by Ann Cavoukian, former Information and Privacy Commissioner in the Canadian Province of Ontario.

The GDPR takes this one step further by carving out the related concept of 'privacy by default'. With privacy by default, the expectation is that companies and those processing or controlling the data will put in place mechanisms to ensure that only those items of personal information needed for each specific purpose are processed 'by default'. The main principle is to be proactive rather than reactive and preventive instead of remedial. This is a practical approach for emerging markets to consider, since it can help enforcement, give the private sector a more proactive role, and help prevent privacy violations and data breaches. The capabilities of the local private sector would need to be considered, as well as a plan that would help them ease into this approach should they not have the necessary resources or skills to do so.

Another trend is a strong focus on data security, preventive as well as once a data breach has occurred, on breach notifications. This important corollary to privacy protections is discussed in more detail below

A legal framework is increasingly a necessity, not a luxury

The need for a legal privacy framework is no longer questioned, even in emerging markets that perhaps are used to seeing privacy at some point as a 'luxury' right. According to the United Nations Conference on Trade and Development, 108 countries either had data protection laws or some kind of law that deals with data, whether in force or not, as of April 1, 2018. However, levels of protection, particularly enforcement, vary widely, even within countries with legal frameworks. In the nearly 30 percent of countries with no laws in place, personal data receives little or no protection, reducing trust and confidence in a wide range of commercial activities. A lack of or weak regulation put these countries at risk of being cut off from international trade opportunities, because many trade transactions require cross-border data transfers that comply with minimum legal requirements.

The GDPR brings additional incentive to strengthen data protection regimes for countries without one or with weak regimes. With a clear objective for extraterritoriality beyond EU borders, the GDPR introduces fines of up to €20 million, or 4 percent of global turnover, whichever is higher, for firms that are data processors or controllers and found not to be compliant. Firms in emerging markets may be subject to those fines if they are found not compliant. This could happen, for instance, to firms with no or little physical presence in the EU, but whose advertisements target EU consumers. Enforcement could be done through the branch office or subsidiary located within the EU of the firm from the emerging market.

Issues to consider when enacting or updating a legal framework

Follow the principles

Numerous countries have identified the need for coordination and cooperation in privacy and data protection. Most have used regional bodies, such as the EU or Asia-Pacific Economic Cooperation, as the vehicle for that cooperation rather than international agreements. These bodies have enacted guidelines or regulations and, not surprisingly, many principles are common among them. Countries considering enacting or updating privacy legal frameworks can reference those common principles. These include principles shared by the European Convention on Human Rights, the OECD Privacy Guidelines, the APEC Privacy Framework, and the GDPR.

Raise awareness, highlight key issues, engage relevant stakeholders early on

at least 35 countries are currently drafting data protection laws to address this gap. A number of economies are also considering reforms to legal frameworks, including to the extent that it may be affected by extraterritorial application of the EU's GDPR. However, drafting and implementing data protection laws is time consuming and challenging. Surveys by UNCTAD of government representatives in 48 countries in Africa, Asia, and Latin America and the Caribbean point to the need to build awareness and knowledge among lawmakers and the judiciary to formulate informed policies and laws in data protection and to enforce them effectively. More than 60 percent of respondents reported difficulty understanding legal issues related to data protection and privacy. Similarly, 43 percent noted a lack of understanding among parliamentarians and 47 percent among police or law-enforcement bodies, which can delay adoption and enforcement of data protection laws.

Another study, covering 22 of the globe's largest information and communication technology (ICT) firms, found that none of them disclosed adequate information about privacy practices and how user information is collected, shared, retained, and used. Requests by governments for access to such data are growing, with most emanating from the United States (figure 6.2).

Figure 6.2 Government requests for user data

As with any other legal issue, when developing a legal framework, it is important to engage the main stakeholders early on. This will allow countries to understand potential issues and to get their buy-in and build capacity for implementation. Some countries, like Mexico, have put together a comprehensive effort to raise awareness of these issues with the different government branches, including at the state level. With the support of a World Bank project, the Ministry of Economy in Mexico commissioned a thorough review of existing legal issues and gaps and put together a training package for the judiciary, parliamentarians, and state government officials. This helped Mexico not only to identify issues, but also to prepare for implementation.

Other countries, particularly in Eastern Europe, have benefited from twinning programs with an existing data protection agency in another country that has provided technical assistance in the setting up of both the legal framework and their counterpart agency. It is also important to identify potential issues and concerns for private sector stakeholders at an early stage. Countries in the Latin American region support each other in such initiatives through the Ibero-American Data Protection Network. Seychelles is reviewing its data protection framework andOther countries, particularly in Eastern Europe, have benefited from twinning programs with an existing data protection agency in another country that has provided technical assistance in the setting up of both the legal framework and their counterpart agency. It is also important to identify potential issues and concerns for private sector stakeholders at an early stage. Countries in the Latin American region support each other in such initiatives through the Ibero-American Data Protection Network. Seychelles is reviewing its data protection framework and is conducting stakeholder consultations. This will help its government put together a framework taking into account potential obstacles for implementation, including those that could come from a lack of private sector capacity or other country-specific issues.

Consider the legal culture

As seen in chapter 4 and figure ES.4, the level of tolerance for giving up one's privacy varies from country to country, and from individual to individual, with some citizens putting greater value on protecting their credit card information and others placing greater value on protecting their health information. For any country considering enacting a new privacy framework, this cultural dimension will be critical. A reflection of these cultural issues can be seen in the different approaches to privacy taken by the EU and the United States. In the EU, the right to privacy, but also the right to have one's personal data protected, are considered fundamental and are recognized in the Charter of Fundamental Rights of the European Union. This approach has resulted in the EU having an umbrella data protection framework that does not distinguish between data being held by private or public actors, and which contemplates only a few exceptions, such as in the area of national security. But the EU is not alone in considering privacy a fundamental right. Even in India, where this was no explicit right to privacy, India's Supreme Court found recently that privacy is a fundamental right protected by the constitution. In the United States, by contrast, privacy is not recognized as a fundamental right. Although constitutional limits on the government's intrusion into individuals' right to privacy can be found in the Fourth Amendment, and to some extent in the First and Fifth Amendments, the right to privacy is more of a balancing act against other rights, including very strong rights to free speech and freedom of information. This has led to a more segmented approach to privacy protection, with, for instance, a Privacy Act for children, and for the health sector (Health Insurance Portability and Accountability Act). These deal with data held by government entities and are complemented by different pieces of legislation for data held by commercial entities. The international trend has been toward more comprehensive privacy frameworks, however, and even in the United States several bills have been introduced for 'omnibus privacy laws,' although they have not yet been adopted.

by the constitution. In the United States, by contrast, privacy is not recognized as a fundamental right. Although constitutional limits on the government's intrusion into individuals' right to privacy can be found in the Fourth Amendment, and to some extent in the First and Fifth Amendments, the right to privacy is more of a balancing act against other rights, including very strong rights to free speech and freedom of information. This has led to a more segmented approach to privacy protection, with, for instance, a Privacy Act for children, and for the health sector (Health Insurance Portability and Accountability Act). These deal with data held by government entities and are complemented by different pieces of legislation for data held by commercial entities. The international trend has been toward more comprehensive privacy frameworks, however, and even in the United States several bills have been introduced for 'omnibus privacy laws,' although they have not yet been adopted.

In some countries, the use of alternative sources of data (such as credit history downloads from a mobile phone) has revolutionized financial inclusion, allowing consumers with little to no credit history to access credit, but could also further raise the bar for others to ever be able to access credit. However, the use of those same data can lead to price discrimination on the basis of race or gender, or to denial of credit because of data inaccuracy. Questions arise about where to draw the line and whether the basis for government action should only be preventing harm. For those who view privacy as a fundamental right, there is no need of injury for a government intervention, while the definition of injury can be as broad as contravening a person's expectations with regard to respect for their privacy.

Other considerations: Extraterritoriality, trade issues, and cross-border data flows

A key privacy policy issue with potential for big effects on a country's economy is the regulation of cross-border data flows. McKinsey Global Institute estimates that flows of data and information now generate more economic value than the global goods trade. Although many of these data flows are concentrated in a handful of large companies, some, such as eBay, Amazon, and Alibaba, are really platforms allowing SMEs all over the world to becoming mini- exporters, with an impact across multiple economies. And individuals are not being left behind. About 900 million people have used international connections on social media to connect to networks to find a job, and 360 million take part in cross-border e-commerce.

Data transfer policies

Companies need to transfer many different kinds of data across borders in the regular course of business. Those may include data related to commercial transactions, their own internal operations, monitoring supply, human resources data of global employees, and product support in real time. Countries that regulate data leaving their borders often do so on the basis of privacy and data security concerns. Already in the 95/46 Directive, the EU regulated data transfers outside of the EU, and transfers were only allowed to countries the EC determined had adequate data protection. So countries with lower standards risk cutting off opportunities for firms or individuals in their countries from using platforms, websites, or activities involving the transfer of data with EU countries. Governments contemplating restrictions on data transfers outside their borders based on privacy and data security, above those of existing international standards, may discover that global companies decide that it is simpler to block consumers in a particular jurisdiction from accessing services than to try to comply with the data protection rules of that country. This is the recent example of U.S. advertising technology companies. Having data policies out of line with larger regional players is a particular problem for small markets in developing countries that are not part of a wider trade bloc.

Self-regulation, if it complies with required international standards, is another option. Given the reality of global commerce, even the EC has allowed the use of some self-regulatory tools to ensure adequate protection of data outside of its borders under the 95/46 Directive. Global companies could issue binding corporate rules or policies that are internal to a group of companies and become binding once approved by the relevant data protection authorities. They could also use model contracts with their subsidiaries that would ensure adequate protection of personal data. The GDPR expands existing mechanisms and introduces new tools for international transfers. It offers, among other things, adequacy decisions, standard contractual rules, binding corporate rules, certification mechanisms, codes of conduct, and so-called derogations. Countries considering these options have to consider enforceability of instruments like the codes of conduct, and what happens if an institution does not follow its code.

Beyond self-regulation, another option could be specific bilateral agreements between countries, whereby smaller countries offer mutual recognition of rules applied in larger trade blocs, such as the EU, similar to the approach used in type approval (that is, homologation) of customer premises equipment. The EC signed an agreement on International Safe Harbor Privacy Principles, whereby certain companies subject to the FTC's jurisdiction would commit to protect data abiding by the same principles spelled out in the directive. This allowed many companies in the United States, which did not have an 'adequacy' finding from the EC, to still transfer data to and from Europe. The Safe Harbor agreement has now been replaced by the Privacy Shield agreement.

But even if countries do not impose particular restrictions on data flows, having to comply with different sets of data protection rules in different countries becomes costly for companies, and a de facto trade barrier. This has led some companies to apply the EU standards to their worldwide operations, as they are considered some of the most stringent, hoping to minimize compliance costs.

Data localization

Data localization policies, in addition to data transfer policies, affect cross-border data flows, international trade, and access to global markets. Data localization rules require firms to locate data servers or data centers within the borders of a country to store and process information. Studies show that data localization and other barriers to data flows impose significant costs: reducing U.S. GDP by 0.1–0.36 percent; causing prices for some cloud services in Brazil and the EU to increase by 10.5 percentage points to 54 percent; and reducing GDP growth from 2.4 percent to 1.7 percent in Brazil, China, the EU, India, Indonesia, the Republic of Korea, and Vietnam, which have all either proposed or enacted data localization policies.

In Rwanda, the regulatory body, the Rwanda Utilities Regulatory Authority, went a step further and imposed a fine of US$8.5 million in May 2017 on the mobile operator MTN for storing customer data in Uganda. This is equivalent to about 10 percent of its annual revenue, and the decision is likely to have a chilling effect on foreign investment into the country, as well as deterring foreign firms from offering services there.

Defenders of localization laws cite national security, protection of personal data, local cultural and historical context, and economic nationalism as arguments; opponents see such laws as a major barrier to trade and competitiveness. Localization creates its own set of winners and losers in the domestic market. It has been argued that localization laws benefit larger firms at the expense of smaller firms that often do not have in-house data skills and must often pay more per unit of data stored at local firms than might have been available from international data hosting services.

On the other hand, localization laws can shelter local firms to develop skills and capacity without the threat of competition from international firms. Opponents also cite issues such as poor data security (as many countries with localization laws lack the skills to handle data securely) and the risk that localization requirements can soon become more pervasive and expand to include other types of data.

Balancing other rights

Data protection and privacy are not absolute rights and need to be balanced against other rights. Some of those rights are access to information, freedom of speech, and the protection of national or personal security interests. Different countries place different emphasis on different values. For access to information, the benefit or the public good of divulging certain information needs to be balanced against an individual's right to privacy. It is generally accepted in many jurisdictions that individuals with a public persona have a lesser expectation of privacy than others. For instance, there is legitimate public interest in knowing whether a lawyer who is prosecuting a case of sexual harassment is practicing what they preach. But even here, public figures are increasingly bringing cases involving the violation of privacy and sometimes winning compensation for alleged defamation of character.

Implementation issues

Enforcement

As with any laws, when considering privacy laws, enforcement is a key issue. Whatever the framework, it is only as worthy as its enforcement. Even absent a specific privacy framework, a strong enforcement agency can still protect people's rights through an interpretation of other existing laws. This has been the case for the U.S. FTC. The FTC has been a strong enforcer of privacy rights by implementing a more general statue, the Federal Trade Commission Act, which gives them jurisdiction to protect consumers from deceptive or unfair acts or practices. Examples of recent cases include privacy cases against Uber, Lenovo, VTech, and Venmo.

The reverse is also true. Countries with strong legal frameworks on paper that are nonetheless not enforced remain at the same level as countries with no framework at all. Countries considering institutional arrangements for their laws can look at different models of good practices around the world. The EU GDPR calls for the establishment of independent data protection authorities. Following this model, some economies have chosen to establish a standalone data protection authority, including Canada, Mauritius, and South Africa. Other countries have chosen to merge that independent authority with the authority protecting access to information rights, such as Mexico and the United Kingdom. Other countries, such as the United States, have jurisdiction spread among several agencies, with the consumer protection agency as one of the main enforcers. Yet another model brings the enforcement powers for privacy laws under the Ministry of Justice, such as in Argentina.

No absolute right or wrong way to think about enforcement exists, as long as the end results are there and the law is enforced. Important considerations are identified in the OECD Privacy Guidelines, and include encouraging and supporting self-regulation, whether in the form of codes of conduct or otherwise; providing for reasonable means for individuals to exercise their rights; providing for adequate sanctions and remedies in case of failure to comply with privacy frameworks; and ensuring no unfair discrimination against data subjects.

Emerging market economies need to consider what is feasible within their own contexts, taking into account the budget and skills required. Enforcement alliances, both with other local enforcement agencies, including criminal, as well as with international enforcement agencies, can help greatly.

Enforcers can also have a role in continuous awareness raising, both for the data subjects and for those who manipulate the data.

Data Security

On March 22, 2018, the U.S. city of Atlanta was hit by the dreaded SamSam ransomware attack, which brought the city's ICT systems to a halt. Utilities could not collect bill payments, citizens could not pay traffic tickets, the police had to note complaints by hand ­– the city's digital apparatus essentially stopped functioning and many departments and agencies lost several years of data. Unfortunately, this was not an isolated incident. In India, a journalist was able to obtain unauthorized data from Aadhar, the national digital identification system. And in Mexico, web users were surprised to discover that the voter data of more than 93 million Mexican citizens was easily accessible online even though the information was classified as confidential.

It is evident that "not all data is created equal". Most data is likely of low value, with more limited amounts of medium value, let alone high value. And risk varies across types of data assets too. From a business's perspective, it makes little financial sense to spend as much protecting all assets regardless of their value or the risks they face. Such a requirement could impose a crippling financial burden. At the same time, most organizations lack the skills to properly audit their data assets and thus end up with "orphan assets" littered across systems whose value is less than the cost of controls to protect them. What organizations should focus on, at a minimum, are their "extraordinary assets" critical to them as well as data for which costs or breaches of privacy rights could be significant should the data become public. If protecting everything equally is not an option, taking this risk management approach should safeguard against deprioritizing sensitive data that is of low financial value to a firm that holds it.

A recent report found significant vulnerabilities in more than three-quarters of applications used by the federal government in the United States . Numerous reasons appear to explain this:

• Poor data management processes ­– including inconsistent response, unresolved issues, notification practices, and lack of data encryption practices

• Legacy systems and old software ­– still in use in many government organizations

• Poor capacity and skills ­– due to government's inability to attract top-drawer data-security talent

• A low priority afforded to security when making technical infrastructure investments ­– in a recent study, respondents showed a marked preference for investments in network security and end-point security over investments in data-at-rest security

Data security is not only about ICT; it should also cover "analog" aspects of security (such as vetting of staff and physical access to control buildings). Countries use policies as a tool to manage risks and help respond to actual incidents. Data security policies can be in different kinds of laws, including cybersecurity and data protection laws. Governments have to consider leading by example and applying themselves to strong data security measures, in addition to what they expect from the ICT industry.

The OECD identified the main common principles for information security in their Guidelines for Information Security and Networks in 2002 and updated them in the OECD Recommendation on Digital Security and Risk management; these principles were further spelled out in the Madrid Declaration. They emphasize risk management, awareness raising, having a preparedness and continuity plan to respond to incidents, and adoption of security measures to avoid data corruption, loss, misuse, or unauthorized access. They also highlight stakeholder cooperation, including across borders, given that most incidents have a multi- country footprint. Robust cybersecurity policies, targeting the vulnerability of IT systems, infrastructure, and networks beyond data, should complement data security policies. Different international initiatives have produced or are producing guidelines on cybersecurity.

For consumers, one of the rising trends is to request data breach notifications. Breach notifications can be useful to consumers when their data has been compromised or lost, since a notification allows them to take corrective action as needed. Different countries have different requirements for breach notification, and the main differences are the triggers and timeline for notification. The triggers determine what level of breach is required in order to notify consumers and can rely, for instance, on the sensitivity of the information accessed and the likelihood that it will be misused.

In a report on data-driven innovation, the OECD recommends that organizations establish a systematic framework of digital security risk management processes and weld it together with the data value cycle (figure 6.3). In this framework, the criteria for determining the level of security are based on the acceptable level of risk to the economic and social activities at stake and not the likelihood of threat. Such an approach is premised on the primacy of data as a socioeconomic asset that justifies the move from a culture of security to a culture of risk management.

Figure 6.3 Digital security risk management cycle

Policies for Maximizing the Data Economy

In addition to policies for the management and governance of data itself, a number of complementary data-related policies exist that governments can pursue to support the development of the data ecosystem and ensure that access to opportunities is inclusive. Digital skills and data for innovation and entrepreneurship are discussed here.

Data skills

To take advantage of the data economy, more people need to have the requisite digital skills. Educational programs that employ rapid skill training are increasingly demanded to develop data skills and capabilities for the use of data tools for innovators, entrepreneurs, SMEs, other private sector entities, and government agencies. According to Cisco, a shortage of 1 million people to fill data security jobs will exist over the next five years, and demand for data scientists between 2011 and 2013 alone increased about 40 percent. Data skills and tools have become crucial among firms, governments, and, particularly, entrepreneurs.

Data literacy is increasingly considered a core skill, with some research suggesting that 90 percent of jobs within advanced economies already require a measure of digital or data skills, while less than one-third of the population possesses adequate skills. The gap in developing countries is even wider. This is a gap that governments must close quickly.

Governments have employed different models to promote digital literacy. Examples include the following:

• Inclusion of digital literacy as part of government-supported basic skills programs, such as the Skills Plus program in Norway.

• Support to advanced digital skills. In the United Kingdom, for instance, the Government Digital Services supports a range of programs, such as the Tech Partnership (a network of employers focused on developing digital skills) and Doteveryone (an independent think tank focused on the digital society).

• Programs aimed specifically at women and girls, who are often underrepresented in the ICT sector. Examples include the Intel-backed She Will Connect initiative in Nigeria, Kenya, and South Africa, and Mozilla Learning's partnership with UN Women to support a network of web literacy clubs in Kenya and South Africa specifically aimed at upskilling girls and women through face-to-face peer learning.

• Mentoring and peer learning based programs. Such programs include Reboot UK, the Swedish IT guide program (which pairs immigrants with elderly Swedes), and the "CompiSternli" program in Switzerland (which pairs children with the elderly).

• The incorporation of coding into school curricula. This is done in the e-school program in Estonia and similar programs in Denmark, the United Kingdom, and the United States.

Some lessons and policy recommendations for governments to consider from these various digital skills initiatives include ensuring data literacy programs are multistakeholder (including participants from the government, private sector, and civil society); building on existing programs, where possible, rather than starting from zero; blending traditional nondigital education with data and digital literacy; bridging formal and nonformal sources of education, such as using mobile phones as a learning tool in developing countries, especially for refugees; and developing societal teaching capacity and mentorship programs.

Data innovation

Companies with huge amounts of data at their disposal and the technical capacity and skilled employees to analyze the data will gain competitive advantage.

In the digital revolution, access to large and diverse data sets is a prerequisite for innovation. Policies geared toward unlocking the reuse potential of data can boost the data economy so that businesses and governments are not left behind, but put forward at the frontier of innovation.

Public and publicly funded data can be at the service of data-driven innovation. Access and reuse of public and publicly funded data can constitute a cornerstone for a data economy. Policies aiming at making more data available and making data more reusable include policies to lower market entry barriers, particularly for SMEs, by reducing charges for the reuse of public sector information.

The nature of data-driven innovation also raises new challenges, including how to safeguard competition and to avoid using data as a barrier to the next generation of entrants and innovators. Given the value of controlling large amounts of data, there can be winner-take-most dynamics of companies benefiting from network effects (that is, where the more people that use a platform or service, the better the experience of everyone else using it). Although it is beyond the scope of this report to discuss competition policies, the treatment of data-sharing policies and the handling of data within intellectual property rights protections will increasingly be central parts of them. Another way that governments can address the risk of excessive first-mover advantage is ensuring that its own data-sharing arrangements do not result in few re-users able to exploit the data in practice. Increased transparency of public data reuse can allow any company, regardless of size, to be aware of the data available and promote a broader spectrum of re-users exploiting the social and economic value of data.

The EU estimates that, in 2016, some 254,850 data companies existed across the union, and that the figure could grow to some 360,000 by 2020 under a high-growth scenario.

• Government innovation. Government laboratories such as fab labs, data labs, and urban labs have emerged across regions. In 2016, the government of Mexico launched its Datalab for data analysis to improve Mexico's public policy formulation and management. Among cities, Barcelona's CityLab and Mexico City's Laboratorio para la Ciudad are examples of municipal level interventions for urban innovation using data.

• Private sector innovation. Policies are needed to build awareness, capacity, and adoption; and to promote cross-cutting uptake for market analysis, financial inclusion, value chain integration, and know your customer across sectors. As discussed in chapter 5, to ensure these policies reach a majority requires attention to SMEs and to the underlying layer that can connect firms to customers, vendors, associations, governments, and so on.

• Citizen-driven innovation. Innovation policy traditionally supports the "supply" side by funding research and development in areas deemed to yield scientific market results. Demand-driven innovation policies, in which processes are driven by the end beneficiaries rather than researchers, aim to ensure instead greater relevance and uptake. This is the case of data policies that consider that social innovation can promote citizen engagement and creative thinking about alternative ways to provide services and address problems. An example of this approach in Tanzania, Data Zetu, is part of the Data Collaboratives for Local Impact program, and aims to empower communities in Tanzania to make better, more evidence-based decisions to improve lives. Data Zetu works with stakeholders to build skills and develop digital and offline tools that make information accessible to everyone. Civic tech, crowdsourced programming, and open innovation processes to tackle development challenges can bring together the skills and technology needed to make a difference in the lives of those who need them most.

• Development innovation. Data is also shaping the traditional paths of development. The UN-coined "data revolution" has triggered novel development approaches that help analyze the context, measure impact, and coordinate project efforts on the ground, among others. Data is a cross-cutting tool for achieving the Sustainable Development Goals. Development is about knowledge, and data amplifies the power of development assistance as the building block of knowledge.

• Data entrepreneurship. Governments should ensure that other sources of innovation investment, ICT industry stimulation, and start-up incubation are playing their part in supporting the growth of innovative uses of data and of the supporting ecosystem of ICT and other services. In 2015, as noted, the Open Data Incubator for Europe was launched to support the next generation of digital businesses and fast-track the development of their products. Within the six-month incubation program, companies receive up to €100,000 (US$116,000) in equity-free funding, mentoring, business and data training, high-quality media, visibility at international events, and introductions to investors.

Policies for data-driven development

In examining data policies for the digital economy, it is easy to focus on the dark side ­– combating cybercrime, threats to data security, loss of privacy, and similar matters. But the data economy is not only about policies to mitigate risks; it is also about policies to maximize value. The true value of data is largely in its use. A strong demand-side "pull" of data is important. It creates and maintains pressure on expanding ubiquity. And it ensures that the wider data ecosystem develops and that data is turned into economic or social value with positive impacts for citizens. As shown throughout this report, the "pull" can come from governments, civil society organizations, the private sector, academia, journalists, international organizations, and donors, as well as from individual citizens. Data-driven development involves all of us.