The upsides of data privacy legislation

In Part 1 of this article, we sat down with Sasha Grujicic, Chief Operating Officer at NowVertical, a company specializing in big data and analytics, to try to make sense of the regular infractions by tech giants of privacy regulations like Europe’s GDPR legislation. Sasha outlined the idea that the interpretation of regulations on data privacy was relatively subjective, but also explained how companies can prepare themselves to obey more data privacy laws – by any interpretation – by preparing a holistic data protection impact assessment.

While we had Sasha in the chair, we asked him if there were additional ways in which – apart from not being fined $400 million for running headlong into data privacy legislation – actually sticking within the rules could benefit businesses.

THQ:

We’ve said that a holistic data protection impact assessment can help companies understand what data they have – and so, be more aware of the data privacy legislation that is out there, and how they stand towards it. That seems like the “take it on the chin” approach – appreciating that this is the thing that needs to be done and grasping that nettle with both hands.

SG:

Absolutely. It doesn’t need to be a major cost driver or cost center as a result of the implementation of a set of requirements. It may actually be a valuable efficiency generator for you, because you might have ten versions of the same file stored in six different locations. And as you start to understand all of that storage, you’re just like “Well, let’s start to minimize that. Maybe we don’t need data from 2007 that has nothing to do with legacy storage and retention requirements. How about we just sunset the storage of that information?”

Why did we need that?

THQ:

That’s almost guaranteed to happen, because everybody saves things to at least two places, thinking “I may need that at some point.” And then, as you say, five or ten years have gone by and there are new people in the company, asking “What the hell was that? Why did we need that?”

SG:

Exactly. Time moves on and a whole different landscape grows up, I guess – at which point, the company is paying to store redundant information that it’s retaining for reasons it doesn’t understand. Quite apart from the data privacy regulation liability of that, it’s a cost point that companies should be looking to eliminate, especially in the economy of 2023.

THQ:

There has been talk about an evolution of GDPR and the opportunities that could come with that. What sort of opportunities do you see coming from such an evolution?

Vertical opportunities.

SG:

We see the future through this lens of vertical intelligence, which is just vertically applicable artificial intelligence. So, rather than looking at these massive generalizable NLP models, or image classification models that are trying to do anything and everything through a one-size-fits-all lens, we look at this through the lens of vertically affordable artificial intelligence. And when you start to think about the requirements to develop anything associated with AI that’s generalizable or political in nature, you need to be able to understand what data inputs are required to build something like that. And in many industries and many enterprise customers, PII (Personally Identifiable Information) is a fundamental part of that.

To be able to actually use those inputs, it’s incredibly important for organizations to look at legislation as a means to enable that type of creation of vertically applicable artificial intelligence.

THQ:

Rather than a cudgel to beat their profitability with?

The synthetic future.

SG:

Right. And furthermore, another thing that people are quickly coming to understand is that you can actually use PII, but you don’t need to expose it to use applications. We have an application that works on Snowflake that allows you to do things like segmentation, cluster analysis and privacy-safe data sharing without exposing any raw data. So you can use those data assets – you don’t have to sequester them and say “Never should we ever” use this. You can actually use that data, without having to expose it and run into trouble with legislators or data privacy advocates.

The evolution of the way in which we look at all these different datasets can be incredibly empowering when you use it within the spirit and the letter of the legislation that’s out there.

The other area that probably doesn’t get the shine it should is synthetic data. There are organizations that are generating synthetic data based on very secure segments of data within organizations or between external organizations. That’s incredibly important, to be able to create synthetic versions of information that doesn’t expose any of the real, sensitive pieces of data that may be subject to legislation or restrictions.

THQ:

So the challenge for companies is to learn how to be cleverer in the way that they deal with data. First, know what you have, where it is, and the data risks surrounding it. Second, minimize the extraneous data you’re holding onto that’s doing no good to anyone, and thirdly, work smarter when it comes to not exposing the data on which you’re basing your profitability?

SG:

Exactly right. And you have to use a certain level of scrutiny in terms of the inputs. Otherwise, if you want to generate models — like if you want to do machine learning, or deep learning, or enable automation — you have to be selective about what the inputs are, or else your costs are just going to explode. And furthermore, you’re not going to really understand the true nature of the relationship of the inputs to the outputs. That can be a huge problem, and the blackbox nature of these generalizable models is a big problem, not to mention all the biases and the lack of scrutiny on the inputs.

The challenge for leadership.

THQ:

Well, naturally, the less scrutiny you give your inputs, the more irrelevant your outputs are going to be.

SG:

This is where technology-enabled services tend to work best — where you have experts helping to guide processes. This is just the nature of the way in which technology evolves. Senior leadership are in these high profile, highly scrutinized positions that have to understand the kind of risks and the profile of their data states, and they aren’t aware of some of the technologies that are available now to help them better understand those things in a more seamless way.

It’s just a matter of education and exposure. So when somebody asks “Do you know where all your data is? And do you know what it is?” Most of the people in leadership will say no. So when you ask them if they know how to wrap their arms around their data, most of them will say “Kind of.”

It’s not some massive deficiency in their capabilities. It’s just a lack of awareness of the ways in which to penetrate that data state through expert service delivery and expert technology and I think that’s important for them to better understand.

THQ:

Whether companies and boards like it or not, data privacy legislation is in play. But it doesn’t have to be just a punishment or a block to doing business as usual. By changing the way business is done, by taking data seriously, and by employing smart, new generation thinking and technology, rules like the GDPR can actually help companies evolve what they can do with data, while keeping that same data safe for users and customers.