Speaking at this year’s Teradata Analytics Universe conference in Las Vegas, Micro Focus
Director of Product Management - Data Security, Reiner Kappenberger
, posed the question: “Are privacy regulations killing the business?”
In the presentation, Kappenberger emphasizes that while it might seem that regulations are restricting day-to-day processes, these regulations are also an opportunity for many organizations and that data privacy can be good for your business.
Kappenberger notes that today´s companies want to immerse themselves in innovation, and they want to do so by adopting artificial intelligence (AI), Internet of Things (IoT), machine learning and by using the cloud in a hybrid environment. The willingness to innovate, however, comes at a substantial price.
The price consists of a series of threats and regulations. Threats are different for different business implementations: threats targeting the sphere of big data can be data breaches or account hijacking. To make the scenario even more complex, there are regulations. When the European Union (EU) and EU General Data Protection Regulation (GDPR
) came into effect, it created a snowball of new regulations across the globe. With a growing number of privacy regulations, businesses are working to comply with the new restrictions and avoid sanctions.
To understand why these regulations constitute a boundary for business practices, Kappenberger presents a list of some of the requirements present in GDPR, which have been used for the creation for the other regulations outside of the EU:
- Data protection officers: Professionally qualified officers must be appointed for organizations larger than 250 employees.
- Security of processing: Encryption/tokenization, preserve confidentiality, CIA Triad, user logging and monitoring, DR/BCP, continuous control monitoring.
- Consent management: Requests for consent must be simple to understand, clearly requested, and as easy to give as withdraw.
- Data portability: Allow data subject to obtain and reuse their personal data for their own purposes by transferring it across different IT environments.
- Breach notification: In the event of a breach that is likely to result in a risk to data subject’s rights or freedoms it must be reported within 72 hours to data controllers and if high risk to the individuals exposed.
- Right to be forgotten: If there is not a legitimate reason to retain personal data, data subjects have the right to request their data be erased.
- Right to access & challenge: Data subjects have the right to obtain confirmation of data use and a copy of personnel data held at no charge. They can also challenge the use of profiling & automated algorithms.
- Privacy by design: Brings a requirement that for the build and development of any new systems, orgs are required to setup appropriate technical and procedural measures to support GDPR.
All of these regulations require companies to change the way they do business. What firms have to do now is to change the way they usually protect data. A layered approach would have been the common practice to protect data, but this is no longer efficient enough due to the numerous malware that can attack systems in the gaps between the different layers. Data itself has to be protected, because the beauty of data protection on its own is that you can still work with data through an end-to-end protection. This type of data protection is called “field level” protection as it encrypts information of each single field, such as the name of the person, the credit card details and more.
In the analytic environment, for instance, there is no need to know specific information about a person because the people working with the data, such as analysts and data scientists, focus on the drivers leading to certain events and not on manipulating customers’ personal data. With the encryption at a field level, analysts and data scientists are not exposed to any sensitive data and that creates a near-zero risk of personal data dispersion.
While it appears to be a very smooth and easy process, how does this practice apply to the real world? Kappenberger uses the example of a car manufacturer. Since the car company has a global reach, it retrieves data from all its existing manufacturing sites. For example, parts are shipped across the globe and assembled in different locations – this inevitably means that companies operating in the car manufacturing industry, like many other industries, must deal with numerous and diverse privacy regulations present in the countries they operate in.
The sensors present in today’s modern cars constantly send information to the manufacturer. While on one hand it allows them to run quality checks and predict dysfunctionalities, on the other hand, it represents an issue for them, because of regulatory obstacles arise from the collection and employment of different types of data. This issue because particularly frustrating when manufacturers can now = view personally identifiable information (PII) not only regarding its customers but also its internal employees. For example, manufacturers can see which employee actually mounted a specific car component. Companies like car manufacturers therefore find themselves in a paradoxical situation with the hunger for technological innovation on the one side and restrictions from regulations on the other.
One solution could be to restrict access to data to just a few people inside the firm, who will be authorized by law to work with PII. As Kappenberger explains, this “squeezing effect” will not drive any additional value to the firm.
An alternative solution is encrypting data on a field level right when it is first collected, such as vehicle identification number (VIN), owner information, locations where the car was purchased and more. In this scenario, everyone could start doing analytics with encrypted data, as they would not enter into contact with personally identifiable information. What most people working with the data want is to identify trends in order to offer easier user experiences to customers.
New consumer privacy regulations push back and add complexity to analytics in business. Nonetheless, there are some aspects regarding regulations that can surprisingly benefit businesses. Kappenberger highlights in his presentation that if we focus on GDPR and not just on its disciplinary norms, we can spot some excellent opportunities.
The consciousness around privacy, which has been raised by this regulation, might be a good shield against cyber-attacks but it could also be very costly for the business from which data was unlawfully stolen. This new regulation, however, will also push for businesses to have a proficient management of data. Proficient management of data will in turn benefit businesses themselves, as they will have all their information under control. The policy consent forms signed by the customers will give businesses the chance to increase their return on investment (ROI) in marketing activities as they will have a clearer view of customers who want to engage with the brand. As a consequence, businesses will better know who to target. In addition, the strict regulations impacting businesses will eventually increase customer loyalty and trust as their perception of opportunism will decrease due to the greater attention paid to handling information.
Interested in watching a video of Reiner Kappenberger’s session titled “Are Privacy Regulations Killing the Business?”. Just click here