In the age of regulations, data privacy and machine learning go hand in hand
When Avast subsidiary Jumpshot was recently caught red-handed selling user PII (Personally Identifiable Information) to other companies, the public uproar was tremendous.
So much so that just a few days later, Avast was forced to permanently shutter Jumpshot – a $180-million marketing technology business – completely to avoid further reputational damage.
This is just one example of the reputational cost of playing fast and loose with data privacy.
We’ve all heard of the large regulatory fines imposed on companies that transgress data privacy rules.
GDPR violators, for instance, can be fined up to €20 million or four per cent of the preceding year’s annual turnover – which in some cases can mean fines ranging from hundreds of thousands if not millions of euros.
These fines make for spectacular headlines, and in some cases may even make a difference. But they pale in comparison to lost customer trust. Your company’s reputation and trust is what customers ultimately pay for, and losing that trust can quickly become an existential threat.
But to stay trustworthy – and on the right side of ever-increasing regulations in multiple jurisdictions – organizations need multiple best-of-breed data privacy and security solutions working in harmony across the enterprise.
That means there’s no “silver bullet” strategy when it comes to keeping data safe.
To successfully face today’s data threats, organizations are increasingly relying on a combination of vendors working together to analyse, identify and protect their data.
Data privacy and regulation: The four stages of preparedness
Titus has addressed the implications of GDPR, CCPA and other regulatory bodies with hundreds of companies over the past few years.
We’ve noticed most organizations tend to fall into one of four groups:
1. The Ignorers
At the low end of the preparedness spectrum, these are the organizations that pretend regulations don’t exist and hope for the best.
2. The Lip Servers
These organizations do just enough internal paperwork to be able to claim plausible deniability, or at least attempt to do so. In these cases there’s usually a minimal regard to actual PII protection or the potential cost to business reputation.
3. The Paper Trail Blazers
Things start looking better once we get to this group, who typically hire consultants to run one-off assessments, generate internal policies and develop guidelines. By this stage, the importance of regulations – along with the spirit of abiding by them – have slowly become part of the company’s culture.
4. The Technologists
These organizations are the gold standard. They have software systems in place to enforce policies and assist with ongoing compliance, including machine learning models to automate tedious or error-prone parts of compliance. This reduces the always-prevalent possibility of human error causing a major meltdown.
It goes without saying that in today’s data privacy climate, organizations that aren’t at least leaning toward stages 3 or 4 are playing a very dangerous game – one that, as often as not, will likely end in an embarrassing public flogging (and possibly worse).
Why the era of one-size-fits-all compliance solutions is over
PII protection is a bit like house insurance – many think they don’t need it until the roof is on fire and they’re scrambling to evacuate.
Keeping data privacy top-of-mind across the enterprise is a big reason why constant communication (including internal communication to the rest of the company) is always an important objective for security experts.
The good news for companies – especially those in Stage 4 – is that data privacy, identification and classification services and products are constantly becoming better, more differentiated and more affordable.
Whereas one-size-fits-all solutions were the norm a few years ago, these monoliths are quickly being replaced by a software suite of more nimble, best-in-breed solutions.
Instead of trying (in many cases, badly) to be all things to all problems, these solutions each handle their niche extremely well and facilitate a more effective privacy protection posture.
This trend toward software suites increases the need for seamless interoperability and intuitive interfaces, including human-machine interfaces. The next year or so will likely see more and more effective UIs enter the market, along with REST APIs enabling easy export and integration capabilities.
How data privacy software tools help establish and build trust
The need for PII protection, data identification and data classification tools all boil down to one thing: Trust.
Can consumers and partners trust you as an organization to keep their data safe?
It’s a big question more and more people have begun asking themselves before signing that contract, applying for an industry award, or filling out a web form for more information.
In today’s data climate, trust is currency.
Software tools including machine learning models and automation help organizations fill their coffers with customer confidence, while also staying on the right side of the world’s ever-expanding regime of privacy laws.
Strong data identification and classification tools that use machine learning help automate PII discovery across digital assets in a scalable and accurate manner, enabling safe storage, sharing and analytics.
From a technical perspective, legacy solutions typically rely on regular expressions. These can suffer from poor precision – discovered PII isn’t really PII – as well as poor recall, resulting in lots of missed PII.
Newer solutions that instead rely on machine learning for contextual analysis typically operate with an order of magnitude fewer errors. This approach also allows analyzing image data such as passports scans or faces, which is impossible with traditional regular expressions.
These tools can then be used as part of a company’s day-to-day operations to protect sensitive files and emails at creation, as well as to prepare incident responses, sanitize datasets for analytics teams, or to help with data migrations, internal auditing and forensics.
Turns out, the need to identify PII in an organization’s data quickly and accurately is critical for compliance in this new age of data privacy regulation.
And just like a homeowner with no insurance, if your organization isn’t being proactive about data privacy and PII identification, there’s a good chance that you’ll eventually be forced to be reactive – or suffer the consequences.