How AI can help enterprises stay on top of data governance [Q&A]
Security breaches and privacy violations can cost businesses dearly. not only in financial penalties but also by causing damage to their reputation.
Keeping tabs on your data and how it's used is an essential part of staying in control and it's an area where AI can help. We spoke to Amar Kanagaraj, founder and CEO of AI-powered data protection and data governance specialist oneDPO to find out more.
BN: AI technology is excellent at spotting patterns and trends, how can this help with data protection?
AK: Organizations have a complex data ecosystem and the complexity continues to grow as the volume, variety, and velocity of data keeps increasing. In such an environment, finding data protection risks is challenging. You are searching for a needle in a massive stack of needles!
Moreover, identifying data privacy issues requires a good understanding of the context in which data is collected and used. For example, a company may have permission to use an individual's phone number for security, but the company may not have permission to use it for marketing.
To deal with the complexity, companies add manual processes to address data privacy. But the problem is manual processes don't scale. Unlike manual processes, AI-based solutions can scale along with the data. AI can identify sensitive personal data across data sources inside an organization. AI can also help organizations understand what data they hold and how they use their data. AI/ML can continuously look for patterns and identify privacy issues.
BN: Does the amount of data that companies now collect increase their level of risk?
AK: Today, businesses collect a staggering amount of data from sensors to mobile apps. As the amount of data grows, the complexity of managing and governing the data is exponential. Data doesn't stay at the source inside any organization; it travels throughout the organization. As the data travels inside an organization, it gets transformed, increasing the data footprint. Most companies don't have a good grasp of where and how their data is stored and managed. As a company becomes more lax concerning data governance, the risk of breaches and privacy violations increases.
Moreover, with many data protection regulations emerging with different data processing restrictions, governing becomes incredibly challenging. Hence data minimization, one of the core privacy principles, is gaining popularity. Data minimization recommends organizations limit data collection and processing to the minimum that is necessary to run your business.
BN: How can you ensure that the AI is properly trained to find data protection issues?
AK: Performance of AI/ML largely depends on data used for training. In some areas within data protection, we have a rich dataset to train AI. For example, as security threats and incidents grow, the amount of data on incidents and user activity increases. The historical data provided the training data needed to apply AI/ML to detect security issues. In recent years, a class of security products called UEBA (User and Entity Behavior Analytics) has emerged. UEBA uses AI/ML to detect security risks. They then apply AI to analyze many user usage metrics and patterns to locate insider risks.
The data privacy space, for the most part, is still emerging. Hence the availability of training data and implementing AI is challenging. On the bright side, PrivacyTech companies are constantly innovating to provide new solutions. At oneDPO, we use AI and privacy engineering to tackle data privacy. AI has also rapidly evolved in the past few years. Many techniques and advances have helped develop sophisticated AI even if your company is working with a limited data set.
BN: Can AI help to detect data protection compliance violations?
AK: As governments realize the importance of protecting consumer privacy, they are passing legislation, such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Protection Act) to control how consumers’ data is stored and used. The new privacy laws have expanded the scope of protected personal data. Previously, organizations considered personally identifiable data (PII), such as social security numbers, as personal data. With the new laws coming into force, businesses must also protect data that can potentially lead to the identification of a person. For example, if a combination of zip code, age, and gender can identify a person, then all three must be treated as personal identifiable information (PII).
With the new laws, all previous approaches will be insufficient. As the laws evolve, AI-based privacy solutions can rapidly adapt and meet complex new requirements. As tools mature, AI can play a significant part not only in enabling compliance but also enforcing better privacy.
BN: Is it important to include all copies of data, including backups, when implementing data protection?
AK: When it comes to data protection, backups must be treated with the same care as the actual data. According to GDPR, if an organization collects, stores, or uses the personal data of EU citizens, then they must ensure that all data, including copies of the data, is protected. Hence, , organizations must enable encryption and the correct governance procedure for backups of personal data. As companies incorporate privacy-preserving technologies into their operations, they must include backups in their initiative.
BN: Will strong data protection slow a company's innovation? How can AI help?
AK: Historically, companies didn't consider data privacy a top priority. Driven by new regulations and increased customer awareness, companies have started enforcing data protection processes and policies. Due to a lack of proper privacy tools, many of these policies are enforced manually by adding more checks and restrictions. Such rudimentary methods restrict the flow of data and limit the value that can be gained from the data.
New PrivacyTech companies like us are applying technologies to simplify data protection. By deploying AI and other privacy-preserving technologies, new PrivacyTech tools hope to automate privacy monitoring, detecting, and preventing data privacy issues. We aim to embed privacy into a company’s culture, processes, and systems. An automated solution increases confidence and allows a better flow of data, greatly improving the speed of innovation. As technology matures, organizations do not need to accept a trade off between faster data flow inside the company and protecting consumer privacy.