How to Enhance Data Privacy and Build Customer Trust
by Ms Katharine Jarmul, Principal Data Scientist, Thoughtworks
Security does not guarantee privacy. Although the two concepts are related and support each other—particularly in the tech context—it’s important to note they are fundamentally different concepts.
Data or information security is a technical field of study and practice. It aims to ensure data is only available to those who should have access. It does this with the help of three principles, the CIA triad. This asserts the importance of confidentiality, integrity, and availability. These principles are applied through common practices, including authentication, encryption, network security controls, and limits on physical access.
Privacy, on the other hand, is personal. An individual’s view of privacy emerges from their own beliefs, upbringing, cultural norms, and social understanding. These are all very intimate factors and are closely aligned with trust. If someone shares something private with you, they trust you.
Privacy is inherently contextual. If two people are whispering to each other, it’s obvious their conversation is private; if a person is yelling in a public square, it’s likely that information is public. However, in the digital world, this context is difficult to gauge and easy to misinterpret. This becomes problematic when software defaults make all communication public; only some users know how to implement the level of privacy they expect.
Broad conceptions of privacy typically reflect societal standards and are often articulated in regulation. There are many examples of this in the global tech landscape today, like GDPR (General Data Protection Regulation) in Europe—which set a new benchmark for privacy expectations and influenced subsequent legislation, such as Brazil’s LGPD and California’s CCPA.
Privacy violations become trust violations when users’ data moves from one context to another without their consent. This could be because of software defaults or a data breach. Whether it is photos, medical records or text, the implications are serious. It creates further distrust in the data collection and can trigger a wider consumer backlash.
Privacy Enhancing Tech
Technology can also enhance privacy. There are several innovations which enable privacy:
- Differential Privacy is the gold standard of anonymising data. It provides a rigorous scientific definition of privacy loss and ways to measure it.
- Encrypted Computation allows computers to run programs on encrypted data without decrypting. It provides secrecy and security guarantees, even when data is being processed.
- Federated Learning pushes processing to the data source, rather than pulling data to a central storage. It enables machine learning without centralised processing and storage.
- Confidential Computing describes a series of technologies, including encrypted computation. It allows for more confidential use of computing resources.
Adding privacy tech to your software and systems can make it much easier to secure data. If you can reduce the number of people who have access to raw data but can still empower people to do their jobs, you can significantly reduce the potential for a data breach. You can also reduce the risks of phishing thanks to better internal privacy processes and technologies. Finally, privacy technology helps security professionals ensure the confidentiality of data in the system by supporting efforts to keep data encrypted where possible.
How should you get started with privacy tech? Begin by identifying the relationships your company has with customers. Consider how real-world trust translates to a digital context. Next, map the social, cultural, and regulatory expectations your customers have when interacting with your products or services. You can then bring governance and compliance stakeholders together with your product and tech specialists. This last step is critical: creating these connections can ensure that privacy is a first-order concern in how you build and deliver products.
There will be challenges: security, privacy, compliance and audit specialists in your company might be unpopular with technical teams. They could have a misguided perception that they will slow down work and create roadblocks.
If faced with this challenge, here’s what you can do:
- Change the conversation by using privacy as an internal bridge. Privacy tech can help build trust between your governance, compliance and technical teams. Ask, for example, how teams might go about incorporating robust privacy protections into a new machine learning product.
- If different stakeholders appreciate the values, processes and needs of their counterparts, tech enablement becomes easier. It will also create a shared language, where privacy is understood through multiple lenses and across different areas of expertise. This will make internal conversations collaborative instead of combative.
- Adopt an iterative approach by prioritising sensitive data and high-value projects. Now that you have a communication line between your privacy, audit and compliance experts and data and tech leaders, they should then be able to work together to prioritise an initial use case and architecture.
- Start small and build on wins by identifying cases where privacy tech could enhance customer and business value while reducing risk. Experiment and learn as you go with small use cases. Small, federated successes and a community of learners and practitioners will pave the way for privacy-first engineering across the enterprise.
Prioritising privacy at multiple levels of your organisation and embracing technological change can unlock new possibilities for delivering value for customers. It is only by enabling new privacy technologies that your organisation can be better prepared for rocky regulatory waters and the increasing demand for accountability from customers.
Ms Katharine Jarmul is Principal Data Scientist at Thoughtworks. We thank our SGTech member, Thoughtworks, for their editorial.
Pioneering Digital Trust
SGTech believes that there is an opportunity to position Singapore as a global node for digital and data, based on trust.
Learn more or join our upcoming SGTech Global Future Series: Digital Trust Forum at https://bit.ly/digitaltrustforum.
Published Sep 2022