5 Ways Tech Platforms Can Protect Private Data

As private data becomes ever-more valuable, it’s also getting harder to protect. Hackers are using AI to sneak into IT systems faster and more effectively – and companies must strengthen their security to keep up. At the same time, regulations are evolving rapidly, often raising the compliance bar.

In this environment, business leaders say security and privacy are the greatest risks to leveraging AI and machine learning (ML) in their organisations, according to the C-Suite Global AI Indicator Report by Workday. To manage these risks while also tapping into the benefits of AI, CIOs need technology to do more on all fronts.  

In addition to making data easier to organise and analyse, technology platforms can help organisations stay ahead of cyber threats and privacy rules. With the right cloud-based tools, IT teams can build privacy into systems from the start, rather than continually playing catch up as new risks and regulations emerge.  

Here are five ways tech platforms can help organisations navigate new privacy needs in tumultuous times.

1. Make Transparency Automatic

Collecting user data has countless benefits – but it also comes with serious risks. Not only do most jurisdictions have strict rules about how private data can be collected and used – rules that will only intensify with increased use of AI and machine learning – they also require companies to clearly outline for users what they plan to do with it.

“In recent years, some companies have received multi-million-dollar fines as a result of failing to meet the requirements around transparency and provision of information,” said Patricia O'Gara, Senior Principal, Data & Privacy Engineering at Workday.

Full transparency is necessary for end users to make informed decisions about the type of permissions they want to grant a given organisation. But it can be difficult to deliver the legal information people need in an accessible way.

The right technology platform can help companies present privacy information persistently, either on a homepage, in a footer or within a central dashboard that users visit frequently. However they’re presented, providing clear links to privacy notices that can be updated as needed helps ensure users can access the required information with the click of a button. 

2. Put Users in Control

The idea that individuals should retain control over their data is at the heart of most privacy laws. While the exact requirements continue to evolve, proactive companies can stay ahead of the game by letting users decide what data can be used for what ends.  

For example, a company might want to track user metrics on their website using analytics software. This can help personalise marketing, career-focused messaging or inform future offerings, but users must opt-in to sharing this type of data via cookie banners.

However, that’s only one piece of the puzzle. People should also have control over how their data is being stored and processed – which requires companies to give users a peek behind the curtain. For example, if an employee requests access to their personal data, IT teams need to be able to quickly create a report that shows what information the company is tracking, who can access it and how it is leveraged to inform decision-making. Many organisations, however, have room for improvement – just 34% of respondents in a global privacy survey said they have conducted data mapping and understand their organisation’s data practices.

Admin guides and fact sheets can help companies clearly communicate how personal data is used by ML models, giving people the context they need to make an informed choice about what they will allow.  

“It's really about what data is used as input, what the output of the machine learning capability is, how we are doing bias evaluation and how our machine learning model is trained,” said Sabine Hagege, Director, HCM Product Strategy at Workday. “People need a lot of information to understand how the data is processed.”

3. Get Granular with Consent

In many situations, users will be comfortable sharing some personal information for specific purposes. Companies are then responsible for making sure that data is only used in approved ways. And if a company works with consumers or employees in multiple jurisdictions, it must ensure that data isn’t shared with or pulled from regions with different privacy laws.  

How can CIOs navigate all the moving parts? It starts with the proper configuration. Technology platforms that offer a localisation framework give IT teams the power to determine what type of information can be tapped for different people based on who they are, what role they play and where they’re located.  

“It’s best when you can configure for each purpose you collect data for. So is it for diversity and inclusion or statistics and metrics?” said Hagege. “Then, on a country-by-country basis, use the consent response to configure your other processes and control how that data is used.”

4. Purge Data You Don’t Need

Many privacy rules also demand that personal data be deleted when it’s no longer needed. Consent should be given for a specific purpose and timeframe – and companies must permanently erase, or purge, that information afterwards.

To stay in line with expectations and regulations, each company needs a data purge plan. CIOs should work with their IT teams to determine which data should be purged when – and then schedule mass deletions on a regular basis.  

However, that alone is not enough. Companies must also be able to purge an individual’s data at will, either because their status has changed or because they’ve requested it. For example, a CIO might want the data of every terminated employee purged immediately after they leave the company. Or a job candidate might request their data to be purged if they aren’t hired.  

IT should make it easy for people to get their data deleted – but it’s important to remember that “purging is irreversible,” said Hagege. “So it's very important that you implement some controls and make sure that whoever has access to purge is fully aware that it can’t be undone.”

5. Keep Private Data Confidential

Getting consent to collect and use private information doesn’t make it any less private. CIOs must keep this in mind when determining who can view what data – and take the steps needed to keep sensitive information confidential.

Certain types of data, such as birth dates, government identification numbers and health information, are valuable on the black market. Because these data types are a prime target for theft or exploitation, they must be handled very carefully each step of the way. 

For example, when IT teams are implementing new platform features or functionality, they can scramble data to block testers from viewing private data. Data scrambling uses real personal data to create realistic but fake datasets for testers to use. This enables the consistent and rigorous Quality Assurance needed to deploy new technologies while also limiting exposure.

Data masking also helps companies keep private data confidential. For instance, while an individual’s manager needs to see their salary, every person on the HR team doesn’t. Serving up private data on a strict need-to-know basis can protect employees’ privacy and security, while also helping companies navigate a variety of local privacy laws.  

“That’s context-based security, which is really valuable when you work in multinational organisations,” said O’Gara. “It's an entirely flexible model that allows you to be in full control of who has access to specific data.”