Re: So instead of...
There's a lot of data a business needs to survive. It's their data and possibly they may be a little more motivated to look after it. Maybe they won't but if they suffer a breach it's just their problem.
If it's customer data it's a lot of other peoples' problem. The significant difference there is trust: the customer's trust the business and the business fails to live up to that trust despite all the protestations about that after the event.
As to decentralising data, the general thrust of the article seems to be that it's the customer who looks after their own data. Let's say I want to order something online on this basis. What needs to happen in data handling:
1. I select what I want to buy, I go to the checkout page. I enter my name and delivery address. That's in my own memory where it's not open to a ransomware attack.
2. I enter my bank account details which I copy from my hard copy bank card. This may well be verified by the bank's own pop-up app. The bank already holds my details, that's inevitable. I hope that my bank is a lot more secure than the average retailer. It's not 100% but ultimately it's the bank's problem if they're not, they're regulated more effectively than the retailer. That last statement is worth reflecting on.
3. The bank confirms the purchase to the retailer.
4. The transaction is confirmed back to me on screen, possibly offering a PDF to download and I can take a note of that. No email is needed. I am, however, holding my copy of that, possibly on my computer although I could make a written note or print the PDF.
5. The retailer prints a picking/despatch note and a shipping label.
6. At this point the company doesn't really need to keep personal information online any longer and can delete it. A summary of the transaction without these details can stay on their system.
7. When I receive the goods I can retain the packing note and delete any reference to it on my computer or retain it at my own risk - I'm not placing anyone else at risk.
Before anyone gets het up about needing to keep this in case of delivery problems, warranty claims etc. they have this on the picking note with the personal data on it; once delivery is confirmed they can dispose of that. If I have a complaint down the line it's up to me to produce my copy of the despatch note or the electronic copy of the order acknowledgement if I chose to keep that.
The retailer's holding of my PII is limited to the time needed to print out the paperwork. My holding is at my choice. The long term holding of information by the retailer is more or less what they'd have held if I'd walked into a shop and paid cash for the item, a business model which has worked for a few thousand years.