Lights and Technology
10 January 2022

Data Protection & Privacy: How to define an efficient strategy

With Artificial Intelligence and Machine Learning models, more and more sensitive data is being managed by organizations. This large volume of critical information is an attractive target for cyberattacks

By Pedro Lopes, Data Analytics & AI Team Leader at Noesis
If data is seen as the new and most valuable commodity, it becomes essential to adopt a strategy to protect such a vital asset for organizations.
Thus, the topic of Data Protection and Privacy is increasingly on the agenda and should be at the center of any manager's priorities. It is estimated, according to Gartner, that as of 2022, 30% of attacks will focus on the source data of machine learning models.
Although we see some concern about the subject in organizations, primarily focused on improving their internal processes, what is certain is that this is a critical issue, with a tendency to increase in the coming years. Cyber-attacks will be increasingly frequent and increasingly sophisticated.
Therefore, for the implementation of a Data Protection strategy, it is necessary, on the one hand, to increase the awareness of the business community on this issue, and on the other hand, to increase their technical know-how. It is essential to identify where and how one can innovate without compromising data security.
What can companies do to make the leap?
Customers will be increasingly loyal to organizations that ensure the security and privacy of their data. A company that wants to create different services and products in an innovative way, powered by data solutions, artificial intelligence, or analytics, must first define proper data protection & privacy strategy and, secondly, ensure the necessary tools to protect that data.
One of the possible solutions is for data to be "pseudo-anonymized." This means that an operational database that is protected when migrated to the cloud must be subjected to an anonymization process. In the event of a cyberattack that manages to bypass the various layers of security in the organization and access the database, the information collected will not be relevant because it is not possible to identify or relate that data to individuals - it is the data that is encrypted, not the database.
So it is not enough to look at security at the level of your networks, infrastructure, or peripherals and from a preventive perspective. You also need to think about security in the event of an actual breach, ensuring that no readable information can be extracted from the compromised data. This will be the last layer of defense in organizations.
It is necessary to ensure that the security and privacy teams in organizations are alert to the issue of data protection and have the required tools and know-how to implement these policies.
In the US, we've seen a growing adherence of companies, for example, insurance companies, to the anonymization issue, significantly boosted by the legislative changes introduced, namely with the IPA (Investigatory Powers Act). As far as Europe is concerned, there is a great disparity between the way the various countries approach this issue. There is also some concern regarding the adoption of Data Protection policies by public and governmental entities, in which citizens' personal data is processed.
In Portugal, the big challenge is that of trust. It is necessary that organizations have a plan for this issue and, at the same time, that the fear of possible attacks does not affect their innovation strategies and investment in data.
This is a mission where everyone has a role to play, and this is the only way we can be safer and ensure the privacy of the data entrusted to us!
Published (in Portuguese) in IT Insight