Privacy Compliance and Technology Disruption (Part 3)

Part three of a three-part series by James Howard, former Chief Privacy Officer and Chief Data Officer at KPMG.  Read part 1 and part 2 of the series.  Part 1   Part 2


Fundamental and disruptive change
Business, technology and data science will continue to accelerate, events will happen and regulations with come into effect. The result is an increasing tension between opposing forces where the resistant compliance side of the equation will almost always lose.

It’s time to take a fresh look at the model. Increasingly, companies are recognizing the disruptive effect that data and analytics (including AI) will have on their business – the very action that increases the risk of privacy events discussed in this paper.

Privacy compliance can benefit from disruption

Ultimately, many aspects of privacy compliance will benefit from the disruptive use of AI, cognitive algorithms, and advanced personal data management systems that actively involve the consumer. Given that privacy compliance combines documentation, analysis and judgment, there are opportunities to design and train algorithms to assist analysis, which will increase the timeliness and reach of the program.

Approach
First and foremost is the recognition that intelligent automation and leveraging AI is a journey – not a destination – and benefit is gained incrementally. Focus begins on the more basic and mechanical aspects of the program, allowing more analyst time to focus on more sophisticated and complicated issues.

As the process matures, more aspects of the program can be automated, leading to a state where increasingly sophisticated tasks are processed automatically and the SME is engaged at certain thresholds where, say, more judgement or specific approval is needed. If properly implemented, the algorithms are trained methodically (“crawl, walk, run”) and logged to ensure consistency. Utilization of self-service personal data management systems will also greatly reduce workload as more consumer requests (as required by regulatory frameworks) are handled automatically throughout internal systems, cloud applications, and third-party service providers.

Example activities that are candidates for automation:
1. Process review comparing to policy – using an algorithm to determine whether a proposed process might violate a privacy policy
2. Access monitoring – data stores containing information pertaining to people can be monitored for access and AI can analyze access for anomalies, and trigger responses
3. Data access requests – routine operational transactions, such as requesting access to certain data, can be vetted and handled through Intelligent Automation
4. Data discovery and inventory – All organizations have large volumes of unstructured data stored (and often forgotten) on network file servers. AI can be used to traverse the file stores and build meta-data tables around the data, and can be tuned to identify sensitive data, helping to ensure compliance
5. Customer inquiries – These can be extremely burdensome for companies with large numbers of individual customers. Intelligent automation and the use of personal data management systems that leverage advanced technology empowers consumers to self-manage their preferences, handle inquiries about their own data, and submit requests to rectify or remove their data.

Benefits
All these use cases are within the capabilities of existing technology, and the decision to pursue any combination is based on specific circumstances. However, the overriding point is that they pave the way toward much more flexibility and scalability of a privacy program that is coming under increasing pressure to perform. So, the benefits are:
· Greater flexibility
· More scalability and leverage of resources
· Lower risk of non-compliance
· Less impact and burden to the business
· Managed cost

Risks
At a high level, the risks are that the tools fail to detect or prevent an unauthorized use or disclosure of information pertaining to individuals. This can be because the algorithms don’t work as intended or are not properly implemented. These are project and operational risks and should be managed through normal risk management processes.

But by keeping in mind the current state and the trajectory business is on, the reality is that leveraging Intelligent Automation and Artificial Intelligence makes sense. It’s going to happen.

Conclusion
When it comes to the use of personal data in a business context, there are a few absolute truths: (1) Businesses will continue to gather and process more and more information about people to meet their goals. (2) We will continue to see larger and more far-reaching data events involving personal information. (3) Regulators will continue to respond with increasingly complex requirements around the handling of personal information.

Many industries are being disrupted by the creative and innovative use of data. The privacy profession — increasingly in the spotlight, yet dependent on manual processes — is quickly becoming a good candidate for reinvention. People will benefit, as it will open avenues for business to provide new products and services designed to make their lives better, while at the same time lowering the risk to them for participating.

Leave a Comment