Considerations for Privacy Professionals

In a landmark year marked by significant AI advancements, it’s vital to prioritize transparency, accountability, and respect for privacy rights. Privacy professionals have been tasked with guarding against the downfalls of automated decision-making for some time, including potential harms that result in loss of opportunity, economic loss, social detriment, and loss of liberty.

Guiding solutions that address algorithmic discrimination risks is a tricky but necessary business. Privacy professionals need to be at the forefront of developing safeguards against algorithmic biases.

Strategies for Privacy Professionals: Balancing Transparency and Privacy

Against a backdrop of seismic change in the technology landscape and considering demands for new regulatory and compliance standards, privacy professionals need to tackle the complex task of trying to ensure algorithmic accountability. Several considerations, strategies, and approaches are emerging.

Transparency and Explainability

Transparency and Explain-ability are certainly a starting point. Demystifying algorithmic decision-making is essential. The public should be informed about algorithms, including their sources and potential sources of bias.

Reuters recently reported that Meta used a significant number of public Facebook and Instagram posts to train their AI systems, raising concerns about personal data. While Meta asserts this aligns with a fair use principle, competing content creators may challenge this claim. Regulators in the near future may as well.

The situation emphasizes the need for clear data usage policies, merging AI progress with individual privacy protections and fair business practices.

The Four D’s Framework

A Four D’s Framework can help. It is a method for assessing algorithmic systems to minimize privacy harms throughout the life cycle of an algorithmic system, much like the notion of shifting privacy left. The build of an algorithmic system comprises four stages: Design, Data, Development, and Deployment. This framework ensures that the entire scope of an algorithmic system is captured in a risk assessment. Think of algorithms simply as more advanced states of statistical profiling engineered into software products, and as such, they are prone to the same benefits and potential harms.

Because of this, it is crucial to introduce ‘policy layers’ at each stage of development. These layers can serve as a filtering mechanism, checking on a system as it is being built, preventing it from showcasing potentially harmful or biased outputs. While raw training data may contain various biases rooted in history, privacy layers can help filter out such biases, ensuring AI does not perpetuate them.

Although true solutions to AI bias may involve in-depth modifications to an AI application’s training or algorithm, privacy policy layers can serve as an effective, adaptable barrier against inadvertent biases and errors. AI systems fundamentally operate based on patterns from provided data, optimizing for specified behaviors without inherently possessing ‘good judgment’. They essentially offer outputs based on patterns in the data they have been trained on.

To enhance AI safety and reliability, modifications to the original training data sets are undoubtedly needed, but as an interim step, Google’s first Chief Decision Scientist has well articulated that policy layers can serve as an effective interim step.

Privacy Impact Assessments

Privacy Impact Assessments (PIAs) need to be updated to include all the implications that arise from AI. TrustArc recently did so. Their PIAs now essentially operate as Algorithmic Impact Assessments. PIAs include but also transcend legal compliance, ensuring that algorithms consider aspects like fairness, ethics, accountability, and transparency.

Global Governance of AI is also needed in companies that use AI in their products. Fostering a cohesive, coordinated effort at a global scale is necessary for algorithmic transparency and accountability.

Of course, AI can also be used in novel forms to help with the management of AI itself. Novel machine learning (ML) solutions are in constant development to ensure user privacy.

Technological Advancements in Algorithmic Privacy

Keeping a watchful eye on ML solutions directed at privacy is important. Several stand out and undoubtedly, many more are in the works. Although the solutions themselves are highly technical involving advanced mathematical and computational approaches, their applications need to be understood by privacy professionals. In this sense, algorithmic privacy begins with the explainability and transparency of AI algorithms built to maintain privacy themselves.

A starting point is the notion of Differential Privacy which has been around since the mid-1990s. This privacy-preserving data method allows for gathering useful insights about a population without compromising individual data. The impact on groups remains consistent regardless of any single person’s data inclusion, with only the study’s findings potentially affecting demographic subgroups, not individual participation.

Building on Differential Privacy, Microsoft’s Privacy Preserving Machine Learning (PPML) initiative is a three-step process to understand, measure, and mitigate privacy “leakages” in training models. It aims to preserve the privacy and confidentiality of customer information while enabling next-generation AI productivity.

A quick overview of Machine Learning (ML) approaches to privacy includes the following.

• Perturbation Techniques add noise to data or algorithm outputs to prevent sensitive information from being learned.
• Cryptographic Approaches allow computations on encrypted data, ensuring sensitive information is not exposed.
• Federated Learning allows ML models to be trained across multiple decentralized devices or servers holding local data samples, without exchanging them.
• Secure Multi-Party Computation and Differential Privacy involves a distributed learning framework that provides secure multi-party computation while adding noise to the computations. It provides a mathematical guarantee of privacy but does not require decentralization of data like federated learning.
• More recently, MIT’s Probably Approximately Correct (PAC) Privacy technique automatically determines the minimal amount of noise that needs to be added to protect sensitive data.

These Machine Learning (ML) procedures offer robust and diverse tools to protect sensitive data. They provide mechanisms to add noise to data, perform computations on encrypted data, train models on decentralized data, and integrate secure computation with privacy guarantees, thereby enhancing data privacy and security in ML applications. While their technical implementation may sit with other experts, it is important that privacy professionals have a broad understanding of their use and a seat at the proverbial table in the decisions to use them.

Much of these requirements gathering are not yet adequately understood nor addressed in current regulatory compliance standards. Again, privacy professionals involved from the beginning of design can help ensure the “future-proofing” of built applications.

The Global Regulatory Context

Recognizing that current laws and regulations are not adequate for addressing AI legal and ethical concerns, most regions worldwide are in the process of updating their regulatory frameworks. Each is influenced by their legal, cultural, and economic contexts.

In the EU, the Artificial Intelligence Act presents a horizontal strategy, aiming to set a gold standard for AI regulations with a set of rules that applies across all sectors and industries. This act is reminiscent of the GDPR and may well have a similar far-reaching impact. Canada’s Artificial Intelligence and Data Act (AIDA) also adopts a horizontal strategy and is particularly focused on high-impact systems.

By contrast, the U.S. is taking a vertical approach to regulation, with different sectors such as healthcare, finance, and transportation each having their own set of rules and regulatory bodies. Rather than crafting new AI-specific laws, existing legal frameworks to govern AI tools are being leveraged. This sector-specific approach brings into play key regulators like the Federal Trade Commission and the U.S. Department of Justice.

TrustArc: Leading the AI Privacy Revolution

In the dynamic realm of AI regulations and technical challenges, TrustArc emerges as a beacon. Their comprehensive suite encapsulates facets of governance, privacy, security, and compliance that help future-proof regulatory compliance.

For example, TrustArc’s data inventory hub helps enterprises map every software application they deploy and store individual data in. Each application is rated as to it high, medium, or low risk in terms of its privacy contents, which is what is contemplated in all future AI regulations.

TrustArc has updated and integrated renowned frameworks like the NIST AI Risk Management and OECD AI principles. In addition to the updated Nymity PMAF, catering specifically to AI data privacy governance, TrustArc offers:

• Data and Business Process Risk Workflow: allowing you to streamline data mapping inventory and automatically get automated risk scores or customize your own. Based on the risk scoring, you can also configure your own automation rules to kick off a library or pre-built or customizable assessments to mitigate risk.
• Pre-built AI Risk Assessment Template: designed for AI risk specifically in mind, you can use this pre-built template designed by TrustArc privacy experts to evaluate your AI systems
• AI Resources: Expert-built operational templates and topics are available for effective AI deployment, along with how to incorporate best practices and standards including OECID AI, NIST AI, and PMAF.

With AI Governance features seamlessly integrated into existing products, TrustArc ensures privacy professionals are always a step ahead with best practices and regulatory updates.

The momentum of AI’s advancement shows no sign of slowing, and with it comes heightened responsibilities for privacy professionals. Algorithmic accountability and privacy safeguards are more crucial than ever. TrustArc stands ready to assist enterprises aiming to become both innovation leaders and brands renowned for their ethical approaches to AI.

When selecting a data privacy automation software for your business, you want to make the right choice. But considering how fast the data privacy industry has grown, it’s likely your first time purchasing software for this purpose.

With the rapid advancement of IoT, Virtual Reality (VR), and Artificial Intelligence (AI), comes the need for greater data responsibility. And regulations are quickly catching up to these new technologies, increasing the need for better privacy programs and data security.

Building a privacy program that minimizes risk to the data subject and your organization requires resources and powerful technology to keep up with the pace of data collection, processing, and requests.

How Do You Know if a Privacy Automation Software Will Meet Your Needs?

Before deciding on the right privacy software, you must understand your business requirements for data privacy.

For example, are there State, Federal, International, or industry-specific regulations that your company must comply with? What types of data are you collecting, processing, or sharing, and what is the risk associated with that information?

Some industries come with greater risks to personal information than others. Especially companies and services that collect health, financial, or other personal information to conduct their operations.

36% of organizations use an open-source solution or spreadsheets and shared documents to start building a privacy program. Trying to scale these solutions usually results in misery, errors, and inconsistency for the privacy team.

It’s at this point that companies start looking for some type of privacy automation software solution. But, before you do, check out these do’s and don’ts of selecting privacy automation software.

What to Do When Selecting Privacy Automation Software

Do Get the Right People Involved

Privacy isn’t the job of a General Counsel, a Chief Privacy Officer, or the Chief Information Security Officer alone. If your company collects data about people, privacy is a part of everyone’s job. In fact, in today’s data-centric world, Heads of Marketing, Strategy, and Data Science are often heavily involved in the privacy technology solution decision.

Before you start researching privacy tech solutions, there are two internal tasks that you should focus on. 

• Gather a detailed list of the business functions and their specific requirements to use, process, share, or collect data.
• Outline every business process the potential privacy technology will need to align with to satisfy all requirements you listed in the first task.
  • If you haven’t already, at this stage, it’s beneficial to create a high level data map to best understand how data flows in and out of your organization. However, some privacy technology solutions come with this capability.

Understanding the specific requirements and business processes is essential if you want a privacy automation software that will scale with your company. Depending on the nature of your organization, where it’s located, and who your customers and partners are, the people and functions involved in the decision can vary greatly.

Some roles and functions to consider include:

• Information Technology
• Cybersecurity
• Legal Counsel
• Marketing, Communications, and Public Relations
• Information Governance and Risk Management
• Business Strategy, Operations, and Data Intelligence
• Sales and Customer Service
• Human Resources

Data is often used heavily in these functional areas to influence strategy, make decisions, and carry out key daily business functions such as marketing, sales, and customer service. Identify the stakeholders with data privacy interests in your organization and involve them early in the privacy technology selection process.

Do Ensure the Laws and Regulations You Need are Included in the Software

Data privacy has become a complex web of regulations regionally and globally. Mix industry into the equation, and the complexity increases. Now add in quickly advancing technology such as IoT and AI, and the potential for new regulations becomes endless.

When vetting privacy automation software, ask which regulations are included and how often new regulations are added. Some privacy technology solutions may be more tailored to specific regions or industries.

Examine your business strategy. Which regions will you expand to? Industries? Will this be covered with the potential solution? Will it automatically identify privacy laws and standards that apply to your company?

The global privacy regulation landscape is anything but stagnant. And you not only need to keep up with the regulations, but you also need to know how if your current practices are enough to comply with new regulations fully. The best privacy automation software will intuitively analyze gaps between your current privacy program and existing regulations.

The more customers you plan to serve, the more important it is to know the regulations you must comply with and how they change. Otherwise, noncompliance with privacy laws can cost your company millions in fines.

At a minimum, the solution you select needs a strong privacy regulation roadmap. With hundreds of privacy regulations across the globe, this isn’t an area you want to skimp due diligence.

Beyond the sheer number of regulations alone are the intricacies of each regulation. For example, some regulations require privacy assessments (and, therefore, data inventories) to be conducted.

Great privacy automation software moves beyond regulations to include essentials for a privacy program. Ask potential solutions providers about privacy and data protection assessments, templates, automatic data inventory population for assessments, GDPR Article 30 reporting capabilities, data subject rights management, and website compliance audits.

Essentially, you’ll want a tool to plan and structure your entire privacy program in one place.

Do Know Which Connections and Integrations You Require

Data has become central to business operations because of its incredible value when well-harnessed. Contrary to popular belief, data protection doesn’t limit the potential value of data. It increases it.

Purchasing, sharing, processing, or using data that doesn’t comply with privacy regulations is a ticking bomb for your organization. It can cost you in fines, loss of trust and customers, and even lead you in the wrong strategic direction. At the very least, it will take a strenuous effort to get that data to a usable state.

Data collected in compliance with privacy regulations is far more valuable than data that violates privacy laws. The transparent use and collection of data builds trust with stakeholders and provides valuable insights that can be relied upon.

To extract data’s value, you’ll want to find privacy software that can connect with common technologies such as Application Programming Interface (API), Customer Relationship Management (CRM) software, Tag Management Systems, and other Marketing, Website, or Customer Success tools you currently use.

Include outlining desired connections and integrations that will be needed from all stakeholders in your privacy automation software selection process.

Do Select a Software that Can Grow with Your Business

You have big plans for your company and privacy isn’t going away. You need software that can scale with your company and keep up with technology and privacy requirements.

Finding the right privacy automation software the first time can help you save big. Mainly because of switching costs. Getting a privacy program up and running takes time and effort. Employees need to learn how to use the software and get the information uploaded into the system.

If you decide to switch privacy automation software providers after your contract ends, you’ll incur all those costs of setting up a new software again. This is often referred to as switching costs – and it’s a primary reason customers stay locked into a product or service even if they aren’t happy.

As you vet different privacy products make sure you learn about their full suite of capabilities, not just what you need today.

Some privacy programs are built for specific purposes only, while others may span all information governance, data inventory and mapping, consent and preferences management, data subject access requests, and even security requirements.

However, don’t be oversold. If you don’t need every add-on a company is offering today, don’t be forced to buy more than you need.

What Not to Do When Selecting Privacy Automation Software

Don’t Assume Automation Will Do Everything

As AI and machine learning become more prevalent there are still misconceptions about what it can accomplish. Even the best privacy automation software needs to be properly set up to work “automatically”.

Expect to do work on the front end to upload your privacy policies and procedures into the software. You’ll also likely need to import existing data inventories, vendors, and records into the system.

One way that vendors can stand apart is in the level of service they provide to help you get started. Ask about the materials and support available to help integrate your existing processes and migrate data into the application.

Will there be any additional fees for onboarding, training, and implementation of the solution you select? Is there 24-hour support?

These are just a few questions you should consider. In general, it’s most helpful to have a clear understanding of what automation does before you assume it has magic powers.

Don’t Be Fooled by Introductory Pricing/Offers that Quickly Increase in the Years to Come

Remember those switching costs from earlier? Some companies may take those costs to a whole new level by offering low or nearly free introductory pricing and then significantly raising your rates in the years to come.

Pay close attention to any contracts and prices you agree to and ask about future costs. Transparency is highly valued in privacy and your vendors should embody the value of transparency as well. If not, take that as a red flag.

Don’t Select a Privacy Automation Software for Another Purpose

Selecting a dual-purpose software solution or one made for a reason other than managing a privacy program might sound good, or even come in at a better cost for your business. But research shows that the type of privacy software solution you adopt matters.

Organizations that adopted privacy management software among other choices scored the highest on TrustArc’s 2022 Global Privacy Index. Solutions such as Governance, Risk, and Compliance (GRC) software, spreadsheets, emails, internally developed systems, and free or open source privacy software all fell short.

If your company is serious about building consumer trust, avoiding penalties and fines, and building a compliant privacy program, select a dedicated privacy automation software solution.

Don’t Buy a Solution that Doesn’t Help You Extract Value from Your Data

Organizations today are collecting all kinds of data. While some of it may be a special class of personal or sensitive data, other data can be used for all sorts of purposes.

As you search for the right privacy automation software, look for a provider that enables you to achieve your business outcomes through data. Using your list of business processes, determine: what outcomes does the company hope to achieve with data?

At a minimum, you need a solution that will have full data inventory, mapping, and management capabilities. This includes everything from your data lifecycles to building data inventory records for DPIAs, and the ability to configure information collected about each type of data.

You’ll also want to pay special attention to the ability to flag high-risk processes and data compliance risks such as sensitivity and geographic location.

Consent and Data Subject Requests (DSR) Management are Crucial Capabilities

The foundation of a complaint data privacy program lies within transparent communication between your business and its consumers. To use their information, you need their consent or permission. And consumers should be able to easily change or withdraw their consent through DSRs.

A complete privacy software solution will include a platform for consent and preference management as well as managing those data subject requests in a timely manner. You’ll want to find a solution that can assign tasks automatically around resolving DSRs, workflows, and access levels in addition to privacy law compliance.

Global laws and regulations heavily influence how consent and preferences are to be managed. This often has a major influence on how marketing, sales, and communications teams connect with their audience.

You need a solution that can automate privacy law compliance and help you manage your data in a profitable way. Be wary of solutions that focus on only one aspect of the data lifecycle. While they may be specialized, they may not help you achieve your business goals.

Take the Next Step to Automated Privacy Program Management

Explore our variety of privacy automation software solutions.

 

Whether you are looking for a certification or need to build a robust privacy program including assessments, customer consent and preference management, regulatory compliance, and data management, TrustArc provides the right solution to match your needs.

Privacy, Security, and IT have similar goals. Unfortunately, they sometimes have a conflicting relationship inside an organization.

Today, we know that compliance with data privacy laws is not exclusively the responsibility of the compliance office. But what’s the line between privacy, security, and IT? How can organizations achieve harmony and collaboration between those disciplines?

Join our panel in this webinar as we explore how privacy, IT, and security can work together to create a more secure, privacy-focused and compliant organization.

This webinar will review:

• The differences between privacy, IT, and security
• How these disciplines overlap and yet complement each other
• How to achieve an efficient collaboration between the IT/Security and Legal departments

The last two years have provided the healthcare industry with numerous new challenges. While many healthcare providers remain in the thick of responding to COVID-19 at the delivery level, other IT, Privacy, Data Governance, and business leaders in healthcare are preparing to use their digital transformation for further progressive change.

According to a TrustArc survey, not less than 9 of 10 healthcare leaders say privacy is an important factor in most of their decisions! With the rapid adoption of virtual health and other digital innovations, consumers’ increasing involvement in care decision-making and the push for interoperable data and data analytics use, how can the healthcare industry adapt?

Join our panel on this webinar as we explore the privacy risks the healthcare industry will likely encounter in 2022 and how healthcare companies can use privacy as a differentiating factor.

This webinar reviews:

• The state of privacy management in healthcare
• How the healthcare industry should face current privacy challenges
• How healthcare companies can differentiate themselves with their privacy program