The passage of the California Consumer Privacy Act (CCPA), following closely on the heels of GDPR, is the latest in the series of data privacy regulation related developments. Twelve other states are expected to pass similar legislation, and federal privacy legislation is currently being drafted as well. The increasing focus on data privacy is partly due to several recent instances of corporate mishandling of private data (eg. Facebook). It is also the result of increasing emerging tech-related privacy concerns being raised by investigative reporting agencies and consumer watchdogs.
Data privacy and protection will be at the top of the corporate regulatory agenda for a few reasons: regulation in this space is new and still evolving; data is difficult to manage at the enterprise scale; and significant ramp up will be required as more jurisdictions enforce such regulations. Furthermore, businesses and government entities face escalating urgency around instrumenting responsible AI systems and processes. This is only going to create heightened pressure for compliance with data privacy and protection rules.
A Moving Target in a Complex Heterogeneous Landscape
These regulations lack unambiguous requirements on what is sensitive and what constitutes a violation. This creates a potentially moving target for which companies will be required to have an agile and flexible approach to their data privacy and protection practices.
The broadened scope of sensitive data under recently passed regulation adds another layer of complexity. For example, CCPA broadens the protected/private data definition to include any information that can be traced to a consumer or household. That may include identifiers such as consumer browsing history, as well as inferences and tendencies drawn from any personal information. This means any unstructured data—documents, email communications, voice transcripts—will need to be analyzed for potential linkage to consumers or households.
With exploding data sets and complexity, there will be an increased need for compliance and regulatory teams to understand the big picture of the data – how it can be linked with each other, the nature and the context of its use, and if any action is warranted. Also needed will be an approach that can scale and adapt to an evolving data landscape as data continues to move more fluidly across the enterprise.
Why Traditional Approaches to Compliance Will Fall Short
Companies will need to evolve their traditional compliance approaches in order to meet the new data privacy compliance challenge. Master data management, rules, and workflow-based approaches are brittle brute force ways that will break in light of changing privacy requirements and rules. Furthermore, such techniques lack the ability to scale. While it may be possible to use robotic process automation to drive some efficiencies, such approaches are inflexible, with true scalability difficult to achieve.
Traditional approaches also lack the nuance and context that will increasingly become important in dealing with data privacy and protection issues. Companies will increasingly need to incorporate data privacy and protection in their consumer experience strategies. For this, they will need capabilities to elevate the overall data privacy and protection experience.
How AI Can Help
The solution to these challenges lies in being able to augment the compliance, legal, and regulatory analysts to provide insights and prescriptive actions to ensure compliance. These are capabilities that can be implemented through modern AI tools and techniques. AI and ML are already being used at the data infrastructure level to automatically classify, extract, and resolve citizen data records. There is, however, an opportunity to take this set of capabilities further by enabling a business-centric, 360 degree view that provides a complete picture of sensitive data elements, persona driven insights, and next best actions.
The Way Forward
While rules and workflow based approaches can work for the tactical short-term, compliance departments will need a strategic longer term approach to meeting the data privacy requirements. In devising this strategic approach, companies should consider the differentiating value it can afford: the ability to build a trust-based brand. When an enterprise builds a brand around privacy, consumers aren’t just more likely to view the enterprise favorably, but they are also more likely to let that enterprise gather, process, and even sell their data. In our next post on this topic, we will look at the capabilities that a next generation data privacy and protection solution should have and how enterprises can leverage AI to enable those capabilities.
About the Author:
Max Kanaskar is CognitiveScale’s Financial Services AI Advisor. In this role, Max works with financial services organizations (including insurance companies, banks, asset managers) on their AI journey—from strategic insight into how to develop AI competencies and centers of excellence to more tactical development of AI roadmaps and delivery of AI solutions.