Data Secrets: Doing Data-driven Business in Secrecy
by Kamesh Raghavendra, Chief Product Officer, The Hive
Business processes in enterprises are turning intensely data-driven thanks to wide adoption of robotic process automation (RPA), artificial intelligence (AI) and agile cloud-based delivery. Running a marketing campaign on Salesforce, profiling a supplier’s risk on Coupa or checking an employee’s background on Workday has never been as data-driven and seamless in the past. Unlike traditional ERP systems and their rigid systems of record, modern SaaS engines are workflow-centric and provide very agile API-based access to data for simultaneously extracting numerous pieces of decision intelligence through technologies like AI.
These data-driven business processes are getting increasingly customer-centric to personalize the experience of the enterprises’ products and services. Digital marketing has become very customized even in regulated verticals like banking, insurance, and mobility. Traditional B2B verticals like IT infrastructure, supply-chain logistics and manufacturing (turning towards additive manufacturing) are moving towards projecting an AWS-like experience to users in their enterprise customers. Core products & services in healthcare, pharma, credit and, even utilities (think Nest) are getting personalized. Consumer mobility, buying behavior and location-based optimization has been a driving trend in retail, commerce, media & entertainment, and CRM.
The combination of the above two trends has brought personal data about billions of individuals for data-driven and personalized processes and services in the enterprise. This is happening across business functions including marketing, customer support, HR, procurement and finance control (for credit-worthiness, etc.), and across verticals like banking, utilities, insurance, retail, credit, etc. Such unprecedented amounts of processing of personal data has brought recent regulatory attention to this topic through data privacy protection regimes. GDPR in Europe and California Consumer Privacy Act are examples of legislations that have recently defined the scope of rights for data subjects (natural persons whose data is processed in enterprises).
Privacy protection regulations give data subjects rights on the use and processing of their personal data. They also impose conditions for transfer and access of data across geographic jurisdictions of the regimes (e.g. Cross EU — North American data accesses are regulated by GDPR). The rights given to data subjects include those of transparency, access, rectification, intent behind processing, portability, etc. These regulations are enforced by state regulators and involve severe penalties for non-compliance (e.g. GDPR has 4% of enterprises revenues penalty). These regulatory obligations specially target processors of data, going beyond the custodians of data who store it. For instance, the Marketing Department within an enterprise will bear obligations to these regulations for using personal data for data-driven campaigns, while the IT Department will still be its custodian. Hence, all the business functions driving data-driven decision making (like the ones listed previously) have become liable to data subjects’ rights even if the business process is in a different geographic area. This has changed the face of data privacy from being data management centric to becoming business process centric.
Enterprise data privacy protection for business processes begins with tracing the provenance of liabilities for serving the rights of data subjects both enterprises and business units within an enterprise. For example, emerging paperless trade and predictive supply-chain applications involve data sharing between cargo owners, ports, customs, freight forwarders, ocean liners and airlines. The scope of data privacy protection includes both personal data and enterprise trade secrets propagating across the logistics value-chain. Each of the business functions mentioned earlier have complex chains of training data, model training, service location, target consumer and actions processed. Enterprises struggle to serve their liabilities to data subjects as the propagation of such obligations are deeply intertwined & complex. In order to scale compliance, enterprises need to simplify these propagative chains of obligations across business processes. It would be ideal to continuously shorten and simplify these data privacy obligation chains within the enterprise. Data privacy protection becomes more challenging across enterprises and minimizing cross-enterprise obligations is very desirable.
Fortunately, there are several technologies developed in academia over the past decades that can be very useful in achieving the desired state of enterprise data privacy protection. In fact, many of these have been implemented as distributed systems with strong data privacy protection properties during the recent wave of crypto-currencies and blockchain platforms. Advanced cryptography methods allow applications to prove patterns in personal data without needing to access raw data with no possible statistical attribution from the proof to the actual data subject. Secure multiparty computation (MPC) allows a network of nodes to process data without any one node being able to extract any meaningful information out of it (like attributing it to an actual data subject). Recent advancements in processor hardware allows confidential computation that only trusts the microprocessor chip and NOT the developer of the software running on it for preserving privacy. All these technologies have ushered a generation of privacy-preserving computation and data analysis.
The Hive has been closely following the adoption of privacy protection in enterprises and the state of maturity of some of the technologies mentioned above. We believe that there is a big market opportunity in automation of the tracing, simplifying and minimizing the propagation of data privacy obligations in the enterprise (and across enterprises). Enterprise spending for this solution is already triggered by the penalties for non-compliance. Large advisory firms are consulting with enterprises to solve this problem, and they need support from products & technology to be able to scale up to the degree of complexity.
All these make the timing right for the launch of The Hive’s next co-creation, Data Secrets, that delivers the world’s first business process-centric enterprise data privacy protection product. It will serve business processes through platforms like Salesforce, Workday, Coupa, SAP, Oracle, etc. and trace data privacy obligations flowing into them at a workflow granularity. The product will have in-built domain awareness about data subjects, personal data, and privacy protection regimes. The product will come with an arsenal of advanced cryptography and MPC tools for simplifying and minimizing data privacy obligations. It will restrict propagation of obligations by becoming a layer of protection between process workflows and data stores. It will also have tools to track compliance and automate reporting.
Stay tuned for The Hive’s journey into the world of enterprise data privacy!