Fireside Chat #1:
Speed to Insight, Lawfully & Ethically

This is Doug Laney, Data & Analytics Strategy Principal at Caserta and author of the book “Infonomics: How to Monetize, Manage and Measure Information as an Asset.” I am here today with Gary LaFever, CEO and General Counsel at Anonos, to discuss the idea of gaining business “Speed to Insight, Lawfully and Ethically.”

Gary, the COVID-19 pandemic is producing a “new normal” where the processing of digital assets to create timely data-driven insights is increasingly important. One need only look at the impact of consumers not being able to visit brick-and-mortar locations for months, resulting in an extraordinary increase in the use of digital payments. This is proof of an increasingly savvy digital customer base. Organisations that effectively leverage digital insights to provide customers with context-aware, personalised offerings will be the winners in this “new normal.”

There will be little middle ground between data insight “haves” and “have-nots.” Organisations that cannot implement sustainable strategies for developing and refining digital insights run the risk of becoming non-competitive. In contrast, organisations that implement sustainable, trustworthy and transparent data insight strategies will thrive. Successful data use, sharing and combination arrangements between partners will be the difference between winners and losers.

Doug, I completely agree.

The overwhelming increase in people working from home and purchasing goods online has dramatically accelerated our transition to a largely digital world. To survive and thrive, organisations need data-driven insights to anticipate and react to quickly-changing buying patterns.

This shift underscores the importance of moving beyond traditional approaches to data protection to support new requirements for businesses to gain “Speed to Insight”... but not just Speed to Insight... you need the insight to be"Lawful and Ethical” as well.

Data only has value when it is in use. Security technologies - like encryption - remain important for protecting data at rest and in transit - but they do nothing to generate digital value or create insights. When data is put to use, the protections afforded by security technologies no longer apply, because they protect data only when in transit or at rest.

Traditional approaches to data protection also create tensions between the business desire to generate digital insights, and the obligation of security and privacy teams to protect their organisation against threats, liability and business disruptions from data misuse. While an organisation may be able to spin up a new cloud server in a few minutes, they may have to wait weeks or months to get security and privacy sign-off before going live with a new application on the server. The only data that can be safely used without security and privacy sign-off, is data that is not subject to ANY restrictions.

Development teams focused on using Analytics, AI, ML and data sharing technologies that focus on delivering desired business but without addressing data security and privacy risks, expose their organisation to significant liability and potential disruption to operations.

This failure to comply with laws, rules and regulations applicable to high-risk but high-value data like Personal, Business and Talent data is a misalignment that can lead to missed business opportunities.

Traditional data protection technologies, like anonymisation via tokenisation, generalisation or suppression, as well as newer techniques like Differential Privacy, synthetic data and homomorphic encryption, protect data when in use but only for centralised processing.

These techniques do not support decentralised processing, sharing or combining. Examples of desired decentralised processing include when you want to share or combine datasets between organisations, combine multiple datasets of your own, or use datasets from different places for machine learning and AI. Since traditional data protection technologies are centralised, they limit the availability of data needed to generate robust digital insights.

In addition, traditional decentralised data protection technologies often only focus on protecting immediately identifying data, often referred to as Personally Identifying Information, or PII. But, recent laws like the California Consumer Protection Act - CCPA - and the EU General Data Protection Regulation - GDPR - require protection of more than just PII. These laws extend the obligation for data protection to indirectly identifying data - like age, gender, birthdate and location, for example. When these indirect identifiers are combined, they can be used to re-identify an individual. This is why laws like the CCPA and GDPR require their protection as well.

In summary, traditional centralised data protection technologies can:

• Create insurmountable tensions between business and security/privacy teams;
• Delay access to desired processing until digital insights are less timely and relevant; and
• Limit data insights to those available from centralised applications that cannot be linked together.

In contrast, Anonos decentralised data protection helps to resolve these issues by creating pre-approved schemas for non-identifying versions of data, called Variant Twins.

Variant Twins can be created for different processes to selectively disclose only the level and type of data approved in advance by security and privacy teams for each use case. By embedding policy, privacy and security controls into data flows to manage risk, use-case specific Variant Twins enable lawful and ethical decentralised data use, sharing, and combining so that businesses can gain “Speed to Insight, Lawfully & Ethically.”

Gary, can you provide a use case where Anonos technology helps to enable “Speed to Insight. Lawfully & Ethically”?

Let's take the example of a global firm with EU employees that wants to do Talent Analytics around the globe. Global firms are increasingly aware that Talent Data must now be processed differently to remain lawful and to avoid undesirable disruptions to business operations.

These challenges arise primarily because:

• PII - as well as non-PII data that can become identifying when combined together - creates liability if processed by employers based on the consent of EU employees because of the imbalance of negotiating power between the parties. This imbalance removes consent as an available basis for lawful processing of Talent Analytics under the GDPR.
• Similar problems can arise when sophisticated analytics, AI or ML are desired using non-employee Personal Data beyond the scope of what was described in detail to data subjects at the time of initial data collection.
• In addition, both PII and non-PII data can cause significant disruption to operations when data subjects demand that all of their data (not just PII) be deleted or alternatively no longer shared with third parties. Data assets cannot be processed effectively when their very composition and availability change from day to day.

Anonos technology is different from other solutions. Centralized privacy enhancing technologies do not embed controls that flow with the data and so may not provide adequate protection to satisfy balancing of interests requirements for sophisticated analytics, AI and ML to be lawful using Legitimate Interest. In contrast, Anonos decentralised data protection technology manages risk differently based on the level and nature of risk involved in different processes, regardless of where the data goes, to help ensure that digital insights are lawful and equitable - both within and between organizations.

Contact Anonos at LearnMore@anonos.com or Caserta at hello@caserta.com for more information.