demystifying the role of ai in
play

Demystifying the Role of AI in Privacy Management Darren Abernethy - PowerPoint PPT Presentation

October 16, 2019 Demystifying the Role of AI in Privacy Management Darren Abernethy TrustArc Maggie Gloeckle A+E Networks Hilary Lane Ravi Pather CryptoNumerics Introduction Demystifying the Role of AI in Privacy Management Agenda


  1. October 16, 2019 Demystifying the Role of AI in Privacy Management Darren Abernethy TrustArc Maggie Gloeckle A+E Networks Hilary Lane Ravi Pather CryptoNumerics

  2. Introduction

  3. Demystifying the Role of AI in Privacy Management Agenda • Introductions • Privacy and the Business Challenges • Introduction to “Automated Intelligence” • Challenges with Managing Privacy Compliance • “Automated Intelligence” Use Cases • Key takeaways

  4. Privacy Funding POLL: Privacy Funding What is the level of privacy funding at your organization? A. Low - we have significantly underinvested in privacy B. Medium – we have inconsistently invested in privacy C. High – we have consistently invested in privacy D. I don’t even want to think about it

  5. Privacy Ownership POLL: Organizational Compliance Ownership Who owns privacy compliance within your organization? A. Office of the General Counsel or Legal Department B. Compliance C. Information Technology – CISO / CIO D. Suite Executive (s) CFO/ COO /CTO / CEO E. Management by Committee

  6. Privacy and Business Challenges

  7. Privacy and the Business Challenges Privacy as a strategic business imperative For maximum data value balanced by responsible data stewardship Privacy Stakeholder 0100110101110101100101 Alignment

  8. Privacy and the Business Challenges How are Data and Privacy Compliance Evolving? GDPR Phase 2 GDPR Phase 1 PIPEDA Privacy Automation Data Security HIPAA CCPA • Privacy Compliance is getting more Complex • Re-identification Risk • Legal meaning • Invest in Privacy • Focus on Data • Secondary Use of Data • Incentive to use provable • Consent Management • Leverage Automated Security Demand increasing de-identified data grows • Loss Prevention • GRC Risk and Privacy tools • Demonstrating • Failure to comply with • Intrusion Detection • Leverage Tools Compliance is hard Privacy is damaging 2016 2018 201 2020 201 9 7 Sep Jan 20 19 • Securing Data • Consent Management • Demands Privacy by Design (PbD) • Consent • Threat Detection Management • Right to be Forgotten • Automate Risk Assessment of re- & Loss identification (Demonstrate PIA) • Right to be • Anonymization Prevention Forgotten • Ensure risk of re-identification has • Re-identification Risks been removed • Anonymization • Data Utility Required • Retain Analytical Value in Data • Privacy Non-Compliance • Security tools don’t work for Privacy

  9. Introduction to “Automated Intelligence”

  10. The Road to “Automated Intelligence” Route Wisdom 2 Intelligence Insights Knowledge Information Data

  11. From Text to Machine

  12. Speed Meets Nuance Data is Fast Laws are Complex Business, economic, healthcare, security, and Regulatory obligations can attach to data as political leaders and their teams rely on vast rapidly as it moves or is used for a new purpose, data sources and deep analytics to make rapid, however, most laws aren’t written to be applied critical decisions. quickly as companies, data, systems, business partners and the activities in which they are involved fall in and out of scope.

  13. Defining “Intelligence” for Privacy Term Definition in·​tel·​li·​gence | \ in- the ability to learn or understand or to deal with new or ˈte - lə - jən(t)s trying situations a branch of computer science dealing with the simulation of ar·​ti·​fi·​cial intelligent behavior in computers in·​tel·​li·​gence | \ ˌär - tə - ˈfi - shᵊl \ in- ˈte - lə - jən(t)s ma·​chine learn·​ing the process by which a computer is able to improve its own | \ mə - ˈshēn \ ˈlər - niŋ performance (as in analyzing image files) by continuously incorporating new data into an existing statistical model

  14. Defining “Intelligence” for Privacy Term Definition al· go· rithm | \ ˈal-gə- a step-by-step procedure for solving a problem or accomplishing ˌri-t͟həm some end in a finite number of steps that frequently involves repetition of an operation algorithmic, data-driven contextual insights about privacy au·​to·​mat·​ed pri·​va·​cy requirements that drive actionable priorities within operational in·​tel·​li·​gence | ȯ - tə - workflows to streamline privacy management decisions and drive ˌmā - təd \ ˈprī - və - sē in - alignment across teams and stakeholders ˈte - lə - jən(t)s

  15. Automated Decision-Making (ADM) ADM is the ability to make decisions by technological means. Solely ADM is ADM without any human involvement. ADM can be based on data collected directly, data collected from third party sources, or derived or inferred data. GDPR addresses risks related to Automated “Individual” Decision-Making, i.e., ADM about individuals ADM used for privacy intelligence leverages information about organization business practices and privacy metadata. Data integrity, accuracy, and completeness are as critical to privacy intelligence as they are to nuanced legal and regulatory advice and guidance provided by expert advisors.

  16. Challenges with Managing Privacy Compliance

  17. Privacy Management Challenges ▪ Emerging Multiple Privacy Regimes and increasing complexity ▪ Privacy Compliance is here and is a legal requirement ▪ Privacy by Design and Privacy by Default is a legal recommendation ▪ Anonymised Data is today foundational to Data & Privacy Compliance ▪ Risk of re-identification is high if data is not properly anonymised ▪ Risk of fines and brand damage for non-compliant Anonymised data ▪ Balancing with Data Utility, critical for business data science and analytics ▪ Consequences for non-compliance ▪ Secondary Use apps such as Data Science, Analytics, Monetization now in scope ▪ In scope overhead will be prohibitive in using such data ▪ Privacy Breach, Brand and reputational damage and question of ethical use of data

  18. Enterprise Challenge: Fragmentation Manual & Manual & Manual & Manual & Fragmented Fragmented Fragmented Fragmented Legal Risk Compliance IT Security Data Science Business Manages Risk Identifies Legal Privacy Compliance Consumers of Analytics, AI & ML Data Security Defines Policy Access Requests data Data Insights requirements Protection tools Enforcement Contracts Encryption, Business & GRC Risk Python, R, SAS, Policy Tools, Hashing, Customer Tools, Tableau Spreadsheets Tokenization Insights Spreadsheets ● Privacy Stakeholders are fragmented and operate in silos ● Privacy Compliance is outpacing Organizational capability to respond ● Risk of Re-identification of data is a Risk and Compliance exposure ● Data Protection tools breaks Analytical value of data for Data Science and Analytics

  19. “Automated Intelligence” Use Cases

  20. “Automated Intelligence” Use Cases 1. Consumer Privacy Rights / DSRs 2. Incident Response 3. De-Identification and Risk 4. Data Discovery and Risk

  21. Use Case 1: Consumer Privacy Requests Requestor Type Required? 1-California Do Not Sell Yes, under CCPA if applicable 2-Texas Access Yes, under HIPAA and TMPA if applicable 3-Nevada Do Not Sell Yes, under Nevada Law if applicable 4-Brazil Correction Yes Intelligence 5-Singapore Deletion No Filter

  22. Use Case 2: Incident Response

  23. Use Case 3: De-Identification & Risk Why enterprise class privacy automation is now required ▪ Build data protection by design and by default (Privacy by Design) ▪ Build an architectural point of control for policy enforcement ▪ Automated Risk Assessment for re-identification ▪ Generate fully Anonymised datasets with confidence ▪ Reduce risk of non-compliance ▪ Invest in Privacy Automation now as we invested in Data Security 5 years ago ▪ Privacy breach and non compliance is now a corporate liability & exposure ▪ Harmonize Legal, Risk & Compliance, Data Science and Business teams into a single process with Privacy Automation ▪ Data-driven data science demand will grow ▪ M ake Privacy an integrated layer of Data Science Architectures ▪ Balance Privacy Compliance with Data with High Analytical value

  24. Use Case 3: De-Identification & Risk

  25. Use Case 3: De-Identification & Risk

  26. Use Case 4: Data Discovery & Risk

  27. Summary of Automated Intelligence For Privacy Management • Data Protection by Default and by Design – Build a systems based Architectural Point of control for Policy Enforcement – Use emerging and “State -of-the- Art” tools to meet and demonstrate data compliance • Fully Anonymize Data and Demonstrate Compliance – De- Identify ‘direct identifiers’ and apply privacy protection to ‘indirect identifiers’ – Automate Risk Assessment to demonstrate Privacy Compliance – Move to Automated, systems based ‘Risk of re - Identification vs manual ‘two eyes’ approaches • Legal Basis for secondary purpose use of customer data – ‘Legitimate Interest Processing’ (LIP) is more flexible than Consent for Data Science (GDPR) – Identifiable data is in scope (CCPA & PIPEDA) – Organisational & Technical Controls are required to support de-identification of data

  28. Key Takeaways

Recommend


More recommend