Create a holistic approach to data protection

Your organization’s cultural views on data protection inform the way data privacy and security policies are enacted and executed. Harvard Business School defines “data ethics” as the moral obligations tied to gathering, protecting and using personally identifiable information, as well as the impact these actions have.³ To make sound decisions around data and promote responsible AI, consider the following principles of data ethics.

Getting data ethics right begins with knowing who owns the data you’re using. Just because a user gives you data doesn’t mean you own it. Consent is a must—and so are data protection and data respect. Upholding data integrity means never abusing data and disposing of that data as soon as you’re done with it.

In data protection terms, transparency means being clear with customers about how their data is used. According to Pew Research Center, 81% of people say the potential risks of data collection outweigh the benefits.⁴ To overcome this historic mistrust, empower users to understand the purposes and lifecycle of customer data so they can feel comfortable that your organization will use it properly and with best intentions.

When a company collects information, stores it and analyzes it, that information should not be used, stored, shared, maintained, retained or disposed of outside of the agreed purposes for which it was originally obtained. This instance is where data privacy strategies come into play again to help strengthen data ethics and security policies.

Whether your organization is a solution provider or a digital provider, always be clear on your purpose when using data and machine intelligence. Responsible AI ensures that users understand how data and technology work together and why AI makes the decisions it does. Tools to increase our trust in AI—such as explainer toolkits, taxonomies of AI techniques and AI governance solutions—help users know your intentions so they can trust in your technology, your processes and the outcomes of their data use.

Ebook: Learn what it takes to build and implement an AI governance framework →

Data breaches, ransomware attacks and slipups are harmful to customers and will test their patience, loyalty and faith in your organization. Because these problems can and will arise, it’s vital to put risk management safeguards in place. One IBM study found that companies that have fully deployed AI and automation as part of their security strategy save an average of USD 3.05 million in data breach costs compared to those who have yet to do so.

Data ethics is about establishing an enterprise culture of principled behaviors and practices for data management. Ideally, this culture of ethics and data literacy is adopted across your organization and reflected in your products and operations. Data privacy, on the other hand, is about defining the policies and practices that activate these principled behaviors through people, business processes and technology, and operationalizing them across the lifecycle of data, from collection to data storage. This method is the essence of creating—and automating—a solid data governance framework as part of a data fabric approach.

Data governance helps strike the balance between limiting access to data to ensure privacy and enabling wider access to data for improved analysis. To make it more seamless for your organization to use data while also protecting against unauthorized access, you’ll need to implement the right data privacy tools, such as data access controls. Combine these with AI, such as anonymizing sensitive data so it can be used in a nonidentifiable way or tagging data to allow for policy enforcement.

Having the right data architecture, such as a data fabric—combined with rigorous data management—goes a long way to ensuring that private data remains private and secure, while still allowing data users to gain insights from it.

“Your data protection framework needs to be extremely elastic and very responsive in order to deal with the unknowns of regulatory changes, third-party data, AI regulations and whatever the next 25 developments will be,” says Lee Cox, Vice President, Services, Compliance & Research, Chief Privacy Office at IBM. “There’s way more synergy between privacy and ethics and data governance than we ever anticipated. But the technology we now have is enabling us to rely confidently on data at scale with far more efficiency than we ever did before.”

Data privacy is first and foremost about protecting customer data and maintaining trust amid shifting regulations. But in today’s marketplace, that’s also a business differentiator. “Privacy is part of a competitive advantage story that touches on practices across our company and contributes directly to revenue as we build the technology that supports our privacy program globally,” says Christina Montgomery, IBM Chief Privacy Officer.

The introduction of the General Data Protection Regulation (GDPR) by the European Union in 2018 challenged many organizations, including IBM, to accelerate development of their privacy programs. For a global company, a logical first step is harmonizing and consolidating local legal requirements into a global privacy compliance framework. For example, by classifying and consolidating metadata from thousands of existing data repositories into a central data fabric, IBM can now quickly determine what types of personal information are being processed across the company, by whom, and where that data is stored. Having a unified privacy framework provides a metadata-driven approach and single trusted source of truth that has been fundamental in reducing IBM’s exposure to regulatory risk.

Learn how to stay ahead of ever-evolving data privacy regulations

Organizations that go beyond simple regulatory compliance can build trust with customers and stand out from competitors. This holistic, adaptive approach to data privacy yields other rewards too:

Understand data risk
Assess data use and risk against customer and regulatory responsibilities.

Secure data sharing
Protect personal data with cybersecurity controls to deliver trusted experiences.

Automate incidence response
Respond efficiently to remediate risk and compliance issues and scale more easily.

“Technology is evolving, but the threats are also growing exponentially,” says Mehdi Charafeddine, Distinguished Engineer and Global CTO for Data Platform Services at IBM. “Fortunately, there are more and more sophisticated ways to apply data protection and support data privacy.”

According to Gartner, data security comprises the processes and associated methodologies that protect sensitive information assets, either in transit or at rest. That’s why data security is really all about the tools and software used to protect data privacy, whether that’s encryption, multifactor authentication, masking, erasure or data resilience. But establishing appropriate controls and policies is as much a question of organizational culture as it is of deploying the right apps and algorithms.

From a technology standpoint, you can safeguard data with data fabric architecture, which protects data at the “front door,” where users interact with data at the point of the application, and at the source or “back door” where data is generated and stored, not to mention everywhere in between. This front door, back door approach is crucial to ensuring appropriate data security policies and controls are in place.

Another consideration is operating in multiple geographies. Due to data silos and lack of central governance, it’s often not realistic that data scientists can run analysis across geographies. With a data fabric there is no need to “imagine and simulate the data and do your models.” With this modern data architecture an organization can give the data to the data scientists with the right governance and privacy rules in place so they feel like they really are running a cross-organization initiative.

Weaving data security measures into end-to-end data management is important in supporting both security and privacy, especially for sensitive data. Take medical research at a hospital, for example. The hospital may be collaborating with third-party experts or data scientists who need to work on specific data or applications without being able to see any regulated or personally identifiable information. Automated role-based data policies can enable collaboration with different parties while also protecting the data from a privacy and compliance standpoint at the application level. At the same time, for responsible AI, that data must be safeguarded at the source where it’s stored, for example, the database on premises where it was first collected. Otherwise, patient information is still vulnerable if a cybercriminal were to infiltrate these systems.

When data security is done correctly, it incorporates people, processes and technologies and builds trust in AI. Explore the following best practices for making information security a priority across all areas of the enterprise.

The key steps in protecting sensitive data include automating visibility, contextualizing, controlling access policies and implementing ongoing monitoring to identify vulnerabilities and risks before they become breaches.

Support a zero trust approach to data management with an integrated suite of capabilities, including automatically created and securely isolated data copies that can tackle cybersecurity gaps in on-premises or hybrid cloud deployments.

Addressing the growing number of privacy mandates is difficult enough. Keeping up with reporting can be another hardship for your team. Simplify the compliance process with automation, analytics and activity monitoring.