Going digital is right at the top of the organizational agenda, providing the foundation to increase efficiency, reduce cost and drive an enriched user experience through real-time fulfilment. Digital technologies can provide organizations with a platform to understand more about their users than ever before, unlocking the value of personal data.
However, organizations face complex challenges while grappling with the digital journey. How do business leaders find the right balance between leveraging personal data for insight-based decision-making and maintaining privacy, security and ethics?
What strategic privacy decisions should security leaders while trying to maintain this balance? And importantly, how can organizations leverage technology to ensure consistent application in a cost-effective manner at scale?
Invest in privacy engineering skills
Technology continues to evolve, with processing speeds doubling every few years and innovative technologies emerging to meet ever-changing user expectations and demands. This fast-paced change is causing a seismic shift in privacy expectations of users and regulators. It is a constant challenge for organizations to ensure they are evolving their privacy by design practices to meet expectations.
What might have been an appropriate safeguard for the effective protection of personal data yesterday may be outdated tomorrow. When it comes to building privacy into business IT systems, data protection regulations such as the EU’s GDPR refer to state-of-the-art as the guiding light for appropriate technical design choices.
In general, state-of-the-art is reached when existing scientific knowledge and research is brought to market maturity, and when possible, references international standards. Often, state-of-the-art technology is expensive and complex to deploy across an organization’s digital IT landscapes.
Therefore, it’s imperative for organizations to acquire the right privacy engineering skills as a business imperative. To meet technology-based privacy needs in 2022, it will be essential for companies to invest in their workforce. To gain a competitive advantage, companies should provide support, resources and training for security professionals and privacy engineers to implement state-of-the-art privacy practices into business IT systems.
Leverage privacy-enhancing technologies
Privacy-enhancing technologies are moving up the maturity curve, among them differential privacy, federated learning, multiparty computation, homomorphic encryption and synthetic data. Their effectiveness within the realm of “trustworthy” or “ethical artificial intelligence (AI)” goes hand in hand with increased public funding supporting further development and standardization efforts. Still, a lot of work needs to be done to define clear use cases and provide off-the-shelf solutions for implementation. In addition, regulators are expected to opine on open legal questions, for example, via the upcoming review of the European Data Protection Board’s guidelines on anonymization techniques. Hopes are high that those cutting-edge techniques will help with questions around issues such as international data transfers and cross-border medical research.
Big Tech, including Apple, Google, Facebook and Microsoft, are spearheading the adoption of privacy-enhancing technologies. A prominent example of privacy-enhancing technologies is differential privacy. With its mathematical definition of privacy, it offers one of the strongest guarantees of privacy available. To get an intuitive understanding, imagine a poll where respondents flip a coin before answering. If the result is “heads,” a random answer (heads or tails) would be recorded instead of the true answer. Later, the introduced errors (noise) get removed from the dataset. Depending on how much noise is added, the balance between privacy and utility of the disclosed information is navigated. Eventually, statistical patterns of a dataset can be identified while maintaining “plausible deniability” about the information of the individuals who are included in the analysis.
Modern cryptography is groundbreaking as well. Going beyond protecting data in transit or at rest, homomorphic encryption and multi-party computation are about protecting data in use. Previously unimaginable, these technologies allow computation to be performed directly on encrypted data without previous decryption. Because of this, they can support joint analysis of data provided by multiple parties without revealing the parties’ individual data inputs. For example, this can be used in medical research. Two separate databases can be used to identify confounding factors for the survival of patients without the need to exchange patient data to perform the data analysis. Being creative when exploring how privacy enhancing technologies can unlock new business operations will be worth the time and effort.
Utilize privacy governance to tackle new challenges
Lastly, there will be new developments and laws in 2022 which will impact the technology engineering landscape. Innovative solutions for identity and access management, changes in the AdTech ecosystem, privacy/preserving machine learning trends and new AI regulations entail novel opportunities and challenges for privacy. On top of trendsetting AI regulations like the EU Artificial Intelligence Act, complex sectoral regulations for e-commerce, health technology or the cloud should be anticipated.
In addition, the complexity of these developments calls for close cross-disciplinary collaboration, streamlining internal standards and related processes. The key will be effective communication between different business functions and aligning data-value generation, responsible use of data in AI and privacy by-design in AI systems. Organizations will need to enable and leverage the expertise of security and privacy teams to establish the right balance of privacy and trust while maximizing data utility.