Data bakery blog

PrivacyOps Course Thesis

Master AI Image Generation

PrivacyOps platform helps automate all major functions needed for privacy compliance in one place. It is the combination of philosophies, practices, automation, and orchestration that increases an organization’s ability to comply with a myriad of global privacy regulations reliably and quickly. PrivacyOps focuses on operationalizing privacy across the organization efficiently and agilely using machine learning, automation, and data intelligence.

It evolves an organization from traditionally manual methods across various functional silos to full automation in a cross-functional collaborative framework for most aspects of privacy compliance. Its reliability and responsiveness to data subjects’ requests enhance an organization’s trust equity and make it more trustworthy with sensitive personal data.

Certificate

The Modern Privacy Landscape

Data privacy refers to the privacy concerns that arise from how the information of data subjects from various sources, including personal connected devices, is collected, stored, combined, used, processed, shared, and disclosed across multiple platforms

Data Protection & Privacy Laws Around the World - Securiti

Personal data

Personal data is any information relating to an identified or identifiable natural person (data subject).

To determine whether a natural person is identifiable from a particular data set, one must consider all the means reasonably likely to be used either by the data controller or any other person to identify the said person. This analysis requires to take into consideration the following factors:

Objective factors such as the costs and amount of time required for the identification of the data subject.
Contextual elements that may vary case by case, such as population density, nature and volume of data, and
The use of available technology at the time of data processing.

Some common examples of personal data are:

Name
Identification number
Location data
Postal address
A unique personal identifier or an online identifier
Internet protocol address
Email address
Account name
Social security number
Driver’s license number
Passport number

Sensitive personal data is a specific set of personal data that requires additional protection as compared to other types of personal data. It is because of the reason that the breach of sensitive personal data can have much more detrimental effects on data subjects. For example, if a patient loses his medical record in a data breach, it could have a serious effect on his medical treatment and ultimately on his life. Similarly, biometric data loss can have disastrous financial and reputational effects on criminals. Therefore, health data and biometric data must be protected separately from other types of personal data. Under most modern privacy laws, such sensitive and special categories of personal data require additional safeguards.

The 7 Principles of Data Protection

• **Lawfulness, fairness, and transparency:**This principle requires organizations to process personal data lawfully, fairly, and in a transparent manner. • **Purpose limitation:**This principle requires organizations to process personal data only for specified, explicit, and legitimate purposes. • **Data minimization:**This principle requires organizations to collect the data adequate, relevant, and limited to what is necessary for the purposes for which they are processed. • **Accuracy:**This principle requires organizations to keep the data accurate and take reasonable steps to ensure that inaccurate personal data has been erased or rectified. • **Storage limitation:**This principle requires organizations to keep the data in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. • **Integrity and confidentiality:**This principle requires organizations to ensure an appropriate security of the personal data and protect it against unauthorized or unlawful processing, security incidents, or personal data breaches. • **Accountability:**This principle holds organizations responsible for the protection of personal data. Organizations must be able to demonstrate compliance with the applicable legal requirements.

Privacy-by-design

Privacy-by-design means embedding privacy into the design of IT products, systems, and business practices and integrating data protection considerations before the collection and processing of personal data. It refers to having in-built abilities that would prevent personal data breaches rather than repairing and restoring systems in the aftermath of a personal data breach.

Privacy-by-default

The privacy-by-default approach requires organizations to implement appropriate technical and organizational measures to ensure that, by default, the data subject has been provided the strictest privacy measure available.

Privacy-by-default allows organizations to build efficient privacy technologies and consider data protection principles into their products throughout the product’s lifecycle.

In light of privacy-by-design and privacy-by-default approaches, organizations must designate data protection responsibilities in their teams and implement effective risk assessments.

GDPR: general data protection regulation EU

is the strongest privacy and security law in the world. This regulation updated and modernised the principles of the 1995 data protection directive. It was adopted in 2016 and entered into application on 25 May 2018.

The GDPR defines:

individuals’ fundamental rights in the digital age
the obligations of those processing data
methods for ensuring compliance
sanctions for those in breach of the rules

GDPR compliance checklist - GDPR.eu

Most privacy regulations grant regulatory authorities a wide range of powers that may include the ability of the regulatory authority to:

Impose excessive amounts of fines against organizations,
Issue warnings and reprimands to the responsible organization,
Temporarily or permanently stop the data processing,
Require the notification of personal data breaches,
Order the rectification, restriction, or erasure of data, or
Suspend cross-border data transfers.

Organizations must adopt strategies for effective data privacy management keeping in consideration the critical data protection principles and approaches of privacy-by-design and privacy-by-default

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

Privacy Law Compliance and PrivacyOps

The Rapidly Changing Privacy Landscape

The 21st century will be defined by computer technology, and at the heart of it is data. Over the past few years, internet users worldwide have realized that their personal data is being stored, processed, and shared to generate massive profits for technology companies like Google and Facebook. This realization has led to awareness about the importance of personal data and that data privacy is, in fact, a fundamental human right.

Since the implementation of GDPR in 2018, countries have been quickly formulating and adopting new privacy laws. California was the first U.S. state to implement a privacy law known as the California Consumer Protection Act or CCPA. Now, more than 120 countries have passed their privacy laws. These new privacy regulations reflect a groundswell of sentiment that an individual’s right to privacy vs. business organizations’ right to collect, process, and otherwise leverage personal data (PD) for commercial gain had gotten out of balance. New privacy laws are quickly being drafted, discussed, and implemented across the globe. Businesses that rely on collecting and processing personal data must enforce robust privacy policies and comply with governing privacy laws.

Issues with the Legacy Privacy Management Approach

Organizations use personal data to craft individualized brand experiences for data subjects. As a result, these organizations store and manage more personal data of various kinds in a structured and unstructured manner. The continuing privacy compliance regime makes it clear that the implicit or explicit abuse, misuse, or breach of personal data by organizations causes serious harm to their brand image, as well as opening them to regulatory fines and lawsuits.

Global privacy regulations’ stringent requirements challenge organizations’ adherence to traditional compliance and privacy management practices driven by periodic manual surveys and assessments of structured and unstructured data. Full compliance with these new data privacy regulations is exceptionally complicated and frustrating, as people’s data often sprawls across hundreds of internal and third-party systems. These systems span multiple different organizational silos, adding to the complexity of coordinating compliance.

In the past two decades, compliance solutions have evolved from manual surveys that capture a snapshot in time to workflow management and web portals. While the advent of web portals has improved the user experience, these solutions still lack the true end-to-end automation needed for agile and accurate privacy compliance.

What is PrivacyOps?

Why is PrivacyOps Needed?

To eradicate the complexities in traditional privacy management practices, a new approach is needed. An approach anchored in the real-time understanding of personal data across the vast array of internal and external systems spanning multiple organizational silos. A strategy that couples the data intelligence with streamlined automation and orchestration across silos to enable efficient and timely compliance with these new regulations.

DevOps has emerged as a new approach for efficiently delivering software in a more agile way, and many organizations are now exploring a PrivacyOps approach for compliance. For organizations to better manage their users’ Personal Data, privacy compliance should be automated across the overall operation’s multiple processes.

The Benefits of the PrivacyOps Approach

Following are some of the benefits of cultural change, automation, orchestration, and collaboration enabled by PrivacyOps:

Better understanding A common PrivacyOps framework that correlates information from various privacy practices, such as readiness assessment, data discovery/linking, consent management, and DSR fulfillment, can provide a better overall understanding of privacy posture and regulatory risks to the organization.
Real-time oversight of privacy risks An up-to-date real-time view of the data privacy risks that may exist inside the organization, based on how data is collected from subjects of various residencies, how consent is collected along with data, how personal data is shared internally and externally, and where it is stored.
Agility Move at high velocity to accomplish and maintain compliance with ever-changing privacy regulations across various geographies. Respond to data subject requests swiftly from multiple geographies with ease, providing a delightful and trust-building experience to subjects. Quickly notify affected subjects of any security incidents and breaches, as required by multiple privacy regulations. Reduce time spent on manual efforts, increasing productivity and effectiveness.
Reliability Ensure that various aspects of privacy compliance across the organization, including internal assessments, vendor assessments, PI data linking, consent understanding, the fulfillment of data subject requests, and compliance records, are reliable. Greater reliability builds trust with subjects, avoids regulatory penalties, and enhances the organization’s brand.
Scalability Operate various aspects of privacy practice at scale, across multiple applications, with large data sets, across different geographies, and diverse stakeholders and regulations.
Increased Expertise Increases the privacy understanding and expertise of diverse teams across the organization by spending more time on expert-level tasks than manual and mundane tasks related to assessments, DSR fulfillment, data discovery, and subject communication.
Improved Secure Collaboration Enable effective collaboration across diverse teams, from legal, privacy, IT, cybersecurity, marketing, development, and support groups. Enable collaboration around sensitive PI data without the need to share sensitive PI data over generic email and messaging tools.
Improved Brand Develop a unique market position with trust-based relationships with both prospective and current clients. Providing transparency on data handling practices and swiftly fulfilling access requests builds trust. The prospect of implementing a secure and transparent PrivacyOps infrastructure nurtures further awareness of the emergent need to adopt such practices on an industry-wide scale. This coincidentally serves as a motive in developing standardized PrivacyOps procedures and, therefore, a possible market niche for a singular platform.

Sensitive Data Intelligence

Sensitive Data Intelligence (SDI) is a class of solutions that help organizations discover, analyze, and protect large datasets

Why Do Organizations Need Sensitive data Intelligence?

Sensitive Data Intelligence helps organizations overcome challenges by creating visibility into personal and sensitive data across all organizational structures. This visibility allows organizations to classify datasets as per their sensitivity, assign risk scores to datasets depending on how much security a particular type of dataset needs, and link data to its correct owners (data subjects).

The Sensitive Data Intelligence Adoption Process

A few examples of SDI-driven privacy compliance include the following:

Data mapping Sensitive Data Intelligence enables organizations to conduct effective and automated data mapping, which is considered a foundational step towards fulfilling all other legal requirements of applicable privacy laws.
Data subject rights fulfillment Sensitive Data Intelligence enables organizations to respond to a data subject’s request within the stipulated deadline under the applicable privacy law.
Breach management and notification Sensitive Data Intelligence swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations make required breach notifications within hours of a security incident.
Consent management Sensitive Data Intelligence enables organizations to capture the user’s consent and facilitate consent revocation for consent-based data processing. Consent status remains updated across all data systems.

The following steps help organizations build their comprehensive data asset catalog:

Discover all current data assets, including the following:
- Shadow assets such as databases and file servers running on generic compute instances often go unaccounted for when migrated to cloud environments.
- Advanced metadata of shadow assets such as instance properties, version, vendor information, open ports, etc.
- Cloud-native data assets such as cloud storage buckets, data warehouses, data lakes, and databases are deployed across multi-cloud environments.
- Advanced metadata of native assets such as vendor information, encryption, status, port information, location, owner, size, etc.
Create visibility into data assets via native integration (APIs and other native integration mechanisms) that automatically extracts all assets and metadata associated with data assets into a single catalog. The SDI solution connects with configuration management databases (CMDBs) and cloud providers (e.g., AWS, Azure, GCP) to collect all data assets into a single repository.
Import and map various asset properties and attributes from CMDBs to the data catalog. The CMDBs are populated and enriched by synchronizing asset metadata.

• Business metadata: Business metadata attributes include data asset owners, data privacy officers, asset locations, IP address, etc. With these insights, DPOs can deliver privacy assessments, assess security measures and require assistance on other business tasks. Moreover, business metadata provides more business context about the data and can help map the relationships between objects in the catalog (like the relations between databases, datasets, and columns). • Technical metadata: Technical metadata in the context of privacy and security includes insights such as retention policies – the number of days the organization should retain a particular data attribute to comply with data retention and disposal policies. Organizations can use several other tags to describe the purpose of data processing or purpose limitation scenarios. • Security metadata: Security metadata tends to provide insights into the security posture of the data asset, how the data is protected, and define sensitivity labels such as public, general, confidential, highly confidential, and many more. Depending on the security metadata, the organization can enable security controls such as encryption, masking, tokenization, and anonymization. Data access policies ensure that data is only accessible to authorized personnel.

Structured data is highly specific and is stored in a predefined format, where unstructured data is a compilation of many varied types of data that are stored in their native formats. This means that structured data takes advantage of schema-on-write and unstructured data employs schema-on-read

Structured data is typically stored in tabular form and managed in a relational database (RDBMS). Fields contain data of a predefined format. Some fields might have a strict format, such as phone numbers or addresses, while other fields can have variable-length text strings, such as names or descriptions. Structured data might be generated by either humans or machines. It is easy to manage and highly searchable, both via human-generated queries and automated analysis by traditional statistical methods and machine learning (ML) algorithms.

Structured data is used in almost every industry. Common examples of applications that rely on structured data include customer relationship management (CRM), invoicing systems, product databases, and contact lists.

Unstructured data includes various content such as documents, videos, audio files, posts on social media, and emails. These data types can be difficult to standardize and categorize.

Unstructured data often consists of data collections rather than a clear data element—for example, a document with thousands of words addressing multiple topics. In this case, the document’s contents cannot easily be defined as one entity. Generally, tools that handle structured data cannot parse unstructured documents to help categorize their data.

Unstructured data is manageable, but data items are typically stored as objects in their original format. Users and tools can manipulate the data when needed; otherwise, it remains in its raw form—a process known as schema-on-read.

An effective SDI solution must have the following features:

**The ability to identify hundreds of personal and sensitive data attributes across regulations, regions, and industries:**An effective SDI solution can identify hundreds of personal and sensitive data attributes across multiple systems and platforms of the same organization and across industries such as healthcare, financial, education, and government. It also can cater to a wide range of privacy regulations.
**Petabyte scale data discovery:**An effective SDI solution can optimize data scan performance. It has a built-in elastic scaling feature that spins up new nodes based on available data, time, and cost. Such scanning allows organizations to scale and support the petabyte volume of data assets, even if these assets are spread across multiple organization systems.
**Enhanced data detection efficacy:**An effective SDI solution with in-built natural language processing, artificial intelligence, and machine learning techniques greatly improves its ability to discover sensitive data with extremely high efficacy rates.
**Policy & Workflow engine:**An effective SDI solution has an in-built policy and workflow engine to enforce security and privacy policies across any cloud environment.
**Integrated data security and privacy management:**An effective SDI solution can address various privacy and security functions from a single dashboard.
**Flexible deployment models:**An effective SDI solution has flexible deployment models to cater to all kinds of organizations, including those with adequate data security infrastructures and those with none.

Data Mapping Automation

What is Data Mapping? (Defined & Explained)

Data mapping is the system of cataloging the data collected by an organization, how it is created, stored, used, processed, shared, archived, and destroyed within an organization.

Data mapping is a fundamental requirement for any organization’s operational needs:

It allows organizations to organize, catalog and structure their stored data.
It makes data management and protection a more efficient process for an organization – i.e riskier data can be provided additional protections.
It enables organizations to keep a track of where their data is flowing which helps maintain adequate records of data processing activities including how data is being processed or stored, where it is transferred to and the risks associated with its processing.
It allows organizations to easily access and find relevant data whenever required – allowing much better leveraging of the data for the organization’s operational needs.

Why Do Organizations Need a Modern Data Mapping Solution?

What Questions Does Data Mapping Help Answer?

RoPAs (Record of Processing Activity). An organization’s record of processing activities (RoPA) refers to a requirement laid out in Article 30 of the General Data Protection Regulation (GDPR), which states, in part, that a controller must “maintain a record of processing activities under its responsibility,” including “all categories of processing activities.” A valid RoPA will be the product of efficient record keeping procedures and accountability within an organization, and the continued review and maintenance of these procedures will promote compliance with GDPR standards.

Challenges and Solutions of Data Mapping Explained

Challenge 1: Complex coordination

Gathering information on data assets and data processes is often a manual process requiring complex coordination between privacy, IT, and other teams across the organization. In some cases, organizations may also need external partners to gather information.

Existing legacy systems and methodologies for data mapping make collaboration between various stakeholders complicated. The risk of data sprawl, that is, the unaccounted spread of personal data to multiple systems, is very high because the information is collected or shared via emails and spreadsheets. The risk of missing out on important information on specific processes or systems is also very high.

The measurable business value we get from this privacy portal is:

Reduced costs and complexity
Ensuring an organization’s data maps are comprehensive and
All the relevant stakeholders can collaborate easily.

Challenge 2: Outdated records

Information on data asset processes can quickly become obsolete due to data’s dynamic nature, collection, and flow in the organization.

Legacy methods of data mapping using spreadsheets and word documents require significant time, resources, and capital to ensure data maps once created within an organization are constantly maintained and updated by privacy teams. Even then, given the dynamic nature of organizations and businesses in the modern world, the risk of not capturing specific updates exists due to human error. This increases the risk of regulatory sanctions as well.

Challenge 3: Continuously changing software

Incorporating privacy by design principles within the software and ensuring those principles are maintained during the entire development lifecycle is a regulatory requirement. Also, the organization’s brand reputation is at risk if it fails to protect customer personal data.

The Data Mapping Process

• Step: The organization must import all assets into an asset catalog by connecting existing databases to the data mapping tool or importing CSV files into the tool. • **Step:**Sensitive personal data is discovered and cataloged through discovery assessments or AI-powered automated scans. • Step: The tool maps the discovered assets to data processing activities. If done manually, this step takes considerable time and resources because of the massive amounts of data. Modern data mapping tools use AI-powered automation to simplify and quickly complete this process. • Step: The tool dynamically triggers Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) based on the newly discovered data and processes. Subsequently, organizations re-evaluate their privacy posture and take necessary steps to mitigate data protection risks. • Step: After PIAs and DPIAs are complete, organizations can easily track and monitor its risks associated with each data process. • Step: The data mapping tool automatically generates dynamic visual data maps and RoPA or Record of Processing Activity reports. RoPA reports may also be a regulatory requirement for an organization collecting personal data. With visual data maps, organizations can easily monitor cross-border traffic and other key data patterns and exchanges.

Data Subject Rights (DSR) Fulfillment

Data Subjects Rights (DSRs) Types

One of the cornerstones of current privacy regulations and laws is the rights they grant to data subjects over their data.

Specifically, through these laws and regulations, data subjects can now require an organization that has collected and is processing or sharing their data (known as a data controller under the GDPR) to hand over, modify or delete the data within a stipulated time period or stop processing their personal data using a simple request. If the organization fails to do this, it could face penalties and enforcement actions brought about by the regulatory authority or the data subject.

Manual DSRequest Fulfillment

****• Verify the identity of the person making the DSR. • Discover which systems and which objects within those systems hold the data subject’s personal data. A typical enterprise may have hundreds or thousands of such internal and external systems. • Discover current owners of those systems and objects. In a typical enterprise, the ownership changes regularly. • Engage owners of systems and objects over email or other methods and share the details of the subject. • Work with each system and object owner to comply with the request. The actions required vary depending upon the request type and the legal reasons for data retention. • Combine the products of all parts of the investigation into one report for approval by the stakeholders and the legal team. • Securely share the report with the data subject. • Keep an audit trail of all the steps taken to comply with the request and prove compliance in case of legal issues.

DSR Fulfillment Process

Collecting DSR requests

A branded, customer-facing web form can be set up within minutes for an organization’s users to efficiently and securely submit DSR requests.

This webform is compatible and optimized to function on multiple platforms such as computers, mobile phones, pads, etc. The organization can set it up with customizable lists, entry fields, radio buttons, and content windows to simplify an organization’s users’ request process.

Verifying DSR requests

This entry form is secured from identity fraud and malicious access with a robust and innovative identity verification process.

Organizations can also set up 3rd party ID verification services – to ensure specialized ID verifications as per industry requirements can be met.

An organization’s members can also fulfill Non-digital DSR requests. They can create DSR requests on behalf of customers through the DSR dashboard itself.

Once a DSR request is received and verified, it can be approved by the organization- making a DSR ticket within the secure privacy portal – and it shall set up a series of tasks and subtasks which can be fulfilled by the organization manually, or it may choose to have them fulfilled through AI-powered robotic automation and next-generation data intelligence.

Build People Data Graphs

The next step is for the platform to build personal data graphs (PDGs) or utilize existing ones.

Customers’ personal data can easily migrate or duplicate across various operations or systems in many large organizations. From CRM applications to random spreadsheets and PDFs – customer personal data used, processed, or stored in these multiple systems need to be accounted for when fulfilling DSR requests (i.e., access, deletion, and rectification requests).

Through the PrivacyOps approach, innovative data intelligence powered by AI automatically discovers and links personal data across various data systems and processes. This automated discovery and linking of customers’ personal data scattered around in an organization’s multiple systems and processes to unique customer IDs allows organizations to build comprehensive ‘People Data Graphs’ (PDGs) which record and keep track of all the various systems and processes where a particular customer’s personal data is being used, processed or stored.

PDGs provide organizations with comprehensive and foundational snapshots required to efficiently fulfill DSR requests and a myriad of other privacy functions such as breach notification management. PDGs also highlight and extract all sensitive personal data categories directly from an organization’s data stores. This functionality allows DSR access and confirmation requests to be fulfilled quickly and efficiently.

Orchestrate Tasks for Review and Approval

When a verified DSR request is received from a customer and PDGs are created to find the concerning personal data of the requesting data subject, AI-powered robotic automation then automatically creates tasks and subtasks for subject matter experts to complete based on the DSR request type.

An organization may choose to create these tasks or subtasks themselves or approve the ones made through robotic automation. All tasks and subtasks have owners assigned. These owners must complete their tasks to meet the DSR deadline. Each privacy law has its own deadline for DSR request fulfillment.

Thus, an organization’s DSR fulfillment process becomes a very efficient mechanism under the PrivacyOps approach because of the above. All the owners and stakeholders need to do is approve the tasks and subtasks – created through robotic automation – to see customer DSR requests get fulfilled without wasting precious human resources or risk of non-compliance within the strict deadlines provided by the laws.

Secure collaboration

Multiple system owners can be invited onto one secure platform. This platform is called the **“DSR Workbench.”**The workbench is used to collaborate on creating or approving tasks to fulfill DSR requests.

The DSR workbench is secure and has an integrated messaging system for collaborative working to eliminate the risk of data sprawl. The DSR workbench also organizes tasks for different system owners, utilizing internal regulatory knowledge to ensure DSR requests are approved and fulfilled quickly.

Deliver Responses Securely

Along with customizable forms for DSR intake and a workbench to process those requests, organizations also need to ensure that the reports and responses upon DSR fulfillment are securely handed back to the verified data subjects. If a DSR fulfillment report is provided to any individual other than the data subject (or an authorized representative of the data subject), regulatory authorities would consider it a breach of personal data.

DSR Fulfillment Maturity Levels

Assessment

An assessment provides a professional, independent, and systematic overview of how well an organization (its several internal departments, divisions, or vendors) comply or is ready to comply with different privacy regulations. It provides a snapshot of personal information handling practices relating to an organization. It consists of sets of questions divided into sections that address various aspects of privacy compliance readiness.

Why do Organizations Need Assessments?

Data privacy regulations like GDPR, CCPA, etc., require organizations that process personal data to implement privacy compliance policies and measures so that data subjects can have greater control over their personal data. These privacy regulations require all internal systems to complete assessments to detect gaps between laws and organizational policies and measures. These compliance requirements could be broadly applicable to the entire organization or narrowly focused on a product, business unit, system, or process within the organization.

Therefore, to ensure proper compliance, organizations are required to conduct privacy and data protection assessments of their implemented technical, physical, organizational and other security measures. Organizations may have hundreds of internal systems that require different assessments. These assessments can help organizations in the effective implementation of privacy compliance policies and in evaluating and minimizing data protection risks, and enhancing individuals’ privacy at the same time.

Types of Assessments

Readiness AssessmentA Readiness Assessment evaluates whether an organization has undertaken the right measures (i.e., administrative, legal, and technical) to comply with specific privacy regulations and all its current data protection capabilities. A Readiness Assessment is far more than a checklist; it engages stakeholders from all business areas and uses questions with their responses to identify risks caused by gaps between current organization policies and regulatory requiremen

Privacy Impact AssessmentA PIA helps organizations identify and minimize the privacy risks of new projects, processes, or policies. PIA ensures that potential problems and privacy risks are identified at an early stage of a project when addressing them will be simpler and less costly. PIA requires organizations to have written policies and procedures that the organization can implement in their projects effectively.

PIA can assist organizations to:

describe how personal information flows in a project
analyse the possible impacts on individuals’ privacy
identify and recommend options for avoiding, minimising or mitigating negative privacy impacts
build privacy considerations into the design of a project
achieve the project’s goals by enhancing the positive privacy impacts
ensure the project is compliant with privacy laws.

Data Protection Impact Assessment

DPIA is a process that helps organizations identify and minimize the data protection risks of a project. A DPIA enables organizations to incorporate data protection considerations into organizational planning and demonstrate compliance to regulatory authorities. Conducting a DPIA for any significant project that requires personal data processing is considered good practice for privacy compliance. In some cases, DPIAs might be a legal requirement. For instance, under Article 35 of GDPR, organizations must complete a DPIA for data processing projects that are likely to result in a high risk to individuals. A DPIA must include the following:

Identify the nature, scope, context, and purposes of data processing;
Assess necessity, proportionality, and compliance measures;
Identify and assess risks to individuals data privacy; and
Identify any additional steps to mitigate those risks, including safeguards, security measures, and mechanisms to ensure personal data protection

Legitimate interest is the most flexible lawful basis for processing, but organizations cannot assume it will always be the most appropriate one. Therefore, organizations must conduct a Legitimate Interest Assessment to determine its appropriateness. A Legitimate Interest Assessment includes the following steps:

identifies a legitimate interest;
shows that the processing is necessary to achieve it; and
balances it against the individual’s interests, rights, and freedoms.

Cross Border Transfer Impact Assessment which assesses individuals’ privacy risks and data protection risks arising from the cross-border transfer of personal data.

Organizations also conduct assessments to collect information that they use to create or enrich data catalog items with information from the assessment responses. Once they publish such an assessment, the information collected is added to the data catalog entry for the asset or process.

Manual Assessment Methods

Assessment practices face several challenges:

Collaboration can be inefficient and difficult to manage over Word docs or spreadsheets
Review, approval, and tracking are not standardized for regular audits
Reminders of deadlines to complete assessments have to be sent manually
Analytics of all ongoing assessments are challenging to compile
Evidence collected for all assessments may not be centralized, making it difficult to extract
It is challenging to keep up with frequent regulatory changes
Maintaining periodic updates incurs high operational overhead costs
Sharing assessment results with customers and partners manually via email or other insecure channels

Some automation propositions:

• A system-of-knowledge that provides audit templates for various privacy regulations, • A system-of-record to keep all assessments in one place, • A system-of-collaboration to bring all stakeholders in one place to provide inputs, and • A system-of-automation to automate workflows and streamline assessment processes.

Consent Lifecycle Management

Consent means that data subjects authorize organizations to collect and process their personal data. Generally speaking, consent is revocable; that is, data subjects can withdraw consent at any given time after they have given their consent. Once a data subject has withdrawn consent, all data processing operations that were based on his/her consent and took place before the withdrawal of consent remain lawful. However, organizations must stop the processing of the data immediately. It can continue the further processing of data only if there exists another lawful basis justifying its processing.

Consent is considered valid when data subjects understand the nature, purpose, and consequences of collecting, using or disclosing their personal data.

Consent is considered valid after the following conditions are met:

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/freely_given.svg

Consent must be freely given:

The element of “freely given” implies that natural choice and control lie with the data subject. For consent to be considered freely given, data subjects must be able to withdraw or refuse their consent at any time without detriment. Consent cannot be bundled up as a non-negotiable part of terms and conditions. Furthermore, organizations should not place any conditions on consent before a data subject can access a service.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/specific.svg

Consent must be Specific:

The element of “specific” implies granularity; organizations must obtain separate and explicit consent for particular data processing purposes. If data collection has multiple purposes, the organization must explain each purpose separately. Consequently, the data subject must provide consent for each purpose separately as well.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/informed.svg

Consent must be Informed:

The element of “informed” implies that data subjects have all relevant information that would enable them to make an informed choice. In particular, organizations must inform data subjects about the potential risks and consequences of granting or denying consent.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/unambiguous.svg

Consent must be Unambiguous:

The element of “unambiguous” refers to organizations’ obligation to obtain data subject’s consent explicitly and clearly, and avoid the use of any dark patterns to obtain data subjects’ consent.

Opt-in and Opt-out consent regimes

Opt-in consent regime

In an opt-in consent regime, the data subject’s consent is required before the collection and processing of personal data. Such jurisdictions function on explicit consent requirements, meaning that the data subjects are explicitly asked for their consent to personal data processing and are free to grant or deny consent.

Opt-out consent regime

In an opt-out consent regime, the data subject’s consent is not required before processing personal data. However, organizations are still required to inform data subjects about the types of personal data to be collected and their purposes and provide them an option to object to data processing.

To successfully implement an opt-in consent, organizations must:

Process personal data only once consent has been obtained from data subjects,
Provide data subjects equally prominent choices of “accepting” and “rejecting” the processing of personal data,
Provide sufficient information to data subjects about why the organization collects their personal data and what the organization will use it for.
Avoid using any dark pattern to obtain the data subject’s consent, including pre-ticked checkboxes and cookie walls.

To successfully implement an opt-out consent, organizations must:

Have a “Do Not Sell My Personal Information” button or link on the website’s homepage and in the privacy policy. This allows data subjects to opt out of the sale and sharing of their personal data.
Provide sufficient information to data subjects about personal data categories to be collected and its purposes, including sensitive personal data and its objectives.
Inform data subjects whether or not their personal data is sold or shared.
Inform data subjects if their data will be sold or shared and the total time their data will be retained by the organization. This is also known as the data retention period.
Avoid using any dark pattern, such as not making the “opt-out” or “Do Not Sell My Personal Information” option prominent enough for the data subject to notice on the webpage.

What is Universal Consent Management?

Universal Consent Management enables organizations to capture consent and automate revocation fulfillment in a simplified and automatic manner.

Why is Universal Consent Management needed?

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/cost.svg

Under most global privacy laws, personal data can be processed only if there is a lawful basis to do so. The data subject’s consent is one of the lawful basis of personal data processing. In some circumstances, the data subject’s consent may be the only lawful basis of personal data processing.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/data.svg

If an organization relies on the data subject’s consent for personal data processing. In that case, it must demonstrate that the processing is taking place only once the data subject has consented to such processing.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/time_clock.svg

Consent as a lawful basis for data processing is not limited to using personal data for advertising and marketing purposes. Instead, it is essential wherever the possibility of identifying the individual exists. Organizations must obtain the data subject’s consent if it is possible to single out an individual, link records relating to an individual, or infer any information concerning an individual.

Universal Consent Management under GDPR and e-Privacy Directive

The GDPR and e-Privacy Directive are based on opt-in consent regimes, requiring consent to be freely given, specific, informed, and unambiguous indication of the data subject’s wishes.
Data subjects also have the right to withdraw their consent at any time. It is important to note that consent withdrawal shouldn’t affect the lawfulness of data processing. Once an individual opts out from the organization’s marketing communications, the organization must not send them any further marketing communications nor invite them to opt back into marketing.
Organizations must obtain the explicit consent of the data subject for the processing of special categories of data. These categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life sexual orientation.
In the digital context, the organization may obtain explicit consent in the form of an electronic signature, an email, an uploaded scanned document, or any other similar mechanism to ensure the data subject’s express and explicit consent.
Organizations must be careful while processing employees’ personal data based on their consent. In most cases, employees do not have genuine freedom to consent due to an unequal balance of power in an employer-employee relationship. Therefore, consent should effectively be a measure of last resort for an employer to turn to.

Universal Consent Management under CCPA

The CCPA treats consent as an affirmative authorization of data subjects to allow the sale of their personal data.
The CCPA is based on an opt-out consent regime that does not require organizations to obtain the data subject’s consent before collecting and processing their personal data.
However, organizations must not collect and process any personal data before notifying data subjects about the categories of personal data to be collected and their purposes, retention periods, providing users the option to opt-out, and letting them acknowledge the notification.
The CCPA requires organizations to obtain consent from minors concerning the sale of their personal data.
- If a business is confident that the data subject’s age is less than 16 years, it must not sell personal data without taking consent from the minor.
- For data subjects aged 13 years or less, the organization must obtain consent from their parent or guardian.

What is Cookie Consent Management?

Cookie Consent Management enables organizations to effectively capture consent before storing cookies and other similar tracking technologies such as beacons, pixels, local storage, and more on data subject’s devices.

Why is consent needed for the use of cookies?

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/cost.svg

Website publishers use cookies and similar tracking technologies for cross-site tracking, cross-context behavioral advertising, contextual advertising, and other types of advertising.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/data.svg

Cookies collect data to identify website users and build their profiles.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/sold.svg

This data is then sold on to several third parties, including ad networks, social media companies, and analytics providers.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/informed.svg

Most global privacy laws now require the data subject’s consent before installing cookies and similar tracking technologies on their devices.

Cookie Consent under GDPR and e-Privacy Directive

The GDPR and e-Privacy Directive require organizations not to load any non-essential cookies on web pages unless they have a cookie consent banner on their website and data subjects have consented to the use of those cookies.

A GDPR and e-Privacy Directive compliant cookie consent banner must:

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/gdpr.svg

Have clear and comprehensive information about cookies:

The cookie consent banner must contain plain and understandable information about the cookies that an organization intends to use. The information must include at the least

The information on general purposes of cookies,
The data subject’s ability to withdraw and change consent along with the method of doing so,
The data controller’s name and identity,
The data processors’ name and identities,
A complete list of recipients or categories of recipients who will obtain personal data through the processing of cookies, and
All relevant Information on individual cookie properties

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/data-protection.svg

Data subject’s ability to withdraw and change the consent:

The cookie consent banner must give equal prominences to accept and reject options. The data subject must be allowed to withdraw consent or change consent at any time, without any detriment in a user-friendly and easy mechanism.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/accountability.svg

Selection and deselection of individual cookies categories:

The cookie consent banner must allow the selection and deselection of respective cookie categories based on their purposes. This requires organizations to have separate opt-in and opt-outs for different categories of cookies based on their purposes.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/category.svg

No pre-selected checkboxes or cookie walls:

The cookie consent banner must not have pre-selected preferences by default for non-essential cookies. Similarly, an organization must not access a service or functionality of a website conditional on the data subject’s consent to the collection and processing of non-essential cookies.

Cookie Consent under CCPA

The CCPA requires organizations to not load any non-essential cookies before displaying relevant information to users about cookies.

A CCPA compliant cookie consent banner must include the following:

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/gdpr.svg

Information about the use of cookies and their purposes

Under the CCPA, organizations must inform data subjects at or before collecting the categories of cookies collected and the purposes for which the organization will use cookies.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/notification.svg

Notice of the right to opt-out of the sale of personal data

Under the CCPA, organizations must allow data subjects to opt-out of the sale of their personal data via cookies by displaying a clear message and prominent link titled “Do Not Sell My Personal Information,” enabling data subjects to opt-out of the sale of their personal data.

!https://education.securiti.ai/wp-content/themes/privaci-portal/_ui/media/uploads/acf-icons/linkability.svg

A link to the organization’s privacy policy

Under the CCPA, organizations must display a link to the organization’s privacy policy that should be posted online through a prominent and conspicuous link using the word “privacy” on the organization’s website homepage or the download or landing page of a mobile application.

Besides, organizations must allow consumers to opt-out of the sale or sharing of personal information and limit the use of their sensitive personal information (under the new law, California Privacy Rights Act). Therefore, organizations must not load any non-essential cookies before notifying data subjects adequately, providing them an opt-out option, and letting them acknowledge the notification.

Moreover, the CCPA requires organizations to obtain the data subject’s consent to sell personal data belonging to minors. Where an organization has actual knowledge that the data subject is less than 16 years of age, it must rely on the explicit opt-in consent for the sale of their personal data and obtain consent from data subjects if they are at least 13 years of age and less than 16 years of age and from parents or guardians of data subjects where they are less than 13 years of age.

GDPR (opt-in consent regime) and CCPA (opt-out consent regime) are not the only examples of data protection laws that require cookie consent notices. Many countries have drafted their laws based on the framework set up by GDPR and CCPA, and therefore, cookie consent notices are required by most global privacy regulations.

!https://education.securiti.ai/wp-content/uploads/2022/07/compairing-consent-1-1024x500.jpeg

A summary of cookie consent banner requirements under opt-in and opt-out consent regimes.

Privacy Policy $ Privacy Notice Creation & Management

What are Privacy Notices & why are they important?

A Privacy Policy is an internal document that governs how the organization will collect, store, protect, and utilize personal data provided by its users and other internal stakeholders. It is an internal document meant for an internal audience i.e it lets employees know how to manage personal data collected by the organization.

Privacy Notice is provided to customers, users and other interested external parties about an organization’s data collection and privacy practices. It is a representation from the organization to the user on what type of personal data they collect, why they need it, what they will do to it, who they will share it with and what rights the data subject retains.

Privacy notices are found even where the law does not mandate an organization to provide one – many regulators consider privacy notices akin to contractual promises between the organization and the data subject. Thus, organizations need to ensure that the representations they provide within privacy notices are accurate, transparent, and accountable.

In general, a compliant privacy notice should at least include:

What types of personal data are collected?
How is the personal data collected and used?
How is personal data stored?
How can users manage cookies?
How can users contact the organization?
How are changes to privacy notice communicated?
What are the user’s data protection rights?
When was the privacy notice last updated?
What type of cookies are used and their purpose?
How can users contact appropriate privacy authorities in their jurisdiction?

Many major global regulations such as the GDPR, CCPA, and LGPD have also imposed additional strict requirements for privacy notices by organizations collecting data within their jurisdictions.

These requirements include mentioning specificities of data collection, sale, retention, processing, data subjects’ and minors’ rights, and other vital metrics within the privacy notice.

With more countries promulgating new data privacy laws worldwide, organizations collecting personal data need to develop efficient mechanisms to ensure their user-facing privacy notices are updated and compliant.

The Relationship between Privacy Notices and Risk

With a greater focus on data privacy worldwide, data subjects also expect organizations to take a ‘privacy forward’ approach to collecting and using their personal data.

An organization’s privacy notice – its content and accuracy – is considered crucial evidentiary material to judge its sensitivity to consumer privacy concerns – thus, the privacy notice deserves attention and care to reduce reputational risk to the organization.

Since privacy notices are forward-facing, any compliance violations are easy pickings for regulatory agencies. Thus, privacy notices need to be taken seriously, and organizations need to invest in ensuring compliance.

The Challenges of Manually Creating & Managing Privacy Notices

Manual mechanisms to draft and update privacy notices in line with regulatory requirements are costly, lengthy, inefficient, and risky endeavors for organizations. This is because:

All organizations are constantly updating or changing the purposes for which they collect, process, share, sell or retain the personal data of data subjects, and thus, being able to update these details within the privacy notice in real-time becomes an issue of coordination and management;
Many SMEs lack the expertise of drafting privacy notices quickly according to regulatory requirements and must hire expensive legal specialists. This makes it difficult for SMEs to continually update their privacy notices as the use of personal data continues to evolve;
Privacy notices need to be updated and require inputs from various teams within an organization. Thus, keeping track of different versions, the changes, and updates made to the notice become difficult;
Larger organizations sometimes need to centrally manage privacy notices for all their departments or business units, each with its own unique set of data processing activities. This is a time-consuming and tedious process, especially since every department or business unit’s personal data collection and processing requirements can undergo rapid changes. This makes it impossible for large organizations to update multiple privacy policies using manual review mechanisms;
For organizations utilizing agile development, data processing changes can cause privacy notices to be out of date very quickly. This is especially true for the use of cookies within the website environment. Suppose privacy officers cannot track changes/updates in data processed, collected, sold, shared, or retained by the organization. In that case, they may develop inaccurate or incomplete notices causing privacy violations & increasing the risk of potential fines and lawsuits.
Organizations working within multiple jurisdictions need to read and analyze different global laws and regulations and ascertain requirements for privacy notices for each region. They then must include these details either geo-specifically or universally within the privacy notice to stay compliant. This is a huge endeavor requiring specialist legal knowledge.
The legal and regulatory is ever-shifting and new regulations and amendments to existing regulations are commonplace. This requires constant vigilance and the capability to bring changes and updates to the information presented within the privacy notice.

PrivacyOps Approach to Privacy Notice Creation & Management

The PrivacyOps approach to Privacy Notice creation and management incorporates a secure privacy portal which is used by an organization to publish detailed, transparent, and fully compliant privacy notices from a library list of different templates that require smart inputs.

Organizations will be able to securely collaborate with partners internally within the portal to set up the notice. They shall easily create, manage, and track different versions and changes to the privacy notice.

The PrivacyOps approach utilizes AI-powered robotic automation and data intelligence to continuously scan data stores and automatically update any changes to the collection, processing, sharing, selling, or retention of personal data. The privacy notice is also updated automatically in real-time, ensuring compliance.

The continuous real time robotic updates of the privacy notice within the PrivacyOps platform is especially important for Organizations to be able to track and map dynamic tracking technologies employed on their websites and import the results into the privacy notice.

Finally, the PrivacyOps approach to privacy notice creation and management will also integrate links to the DSR fulfillment portal and Universal Consent Management for data subjects’ to exercise their rights through an accountable, efficient, easy-to-use transparent process.

The Two Maturity Levels of Privacy Notice Creation & Management

Privacy Notice Creation and Management Maturity Level 1

The PrivacyOps approach recommends that organizations transition from manually drafting and managing privacy notices to automating privacy notice management in two steps or ‘maturity levels.’

PrivacyOps recommends the use of a secure portal for the creation and management of privacy notices. The privacy notice portal shall have the following features:

Pre-built ’regulation specific’ and ‘industry specific’ templates shall be available which organizations can use according to the advice and consultation of privacy and business experts. This will ensure that the organization’s privacy notices are always compliant with various, ever-changing global data privacy regulations and laws.
The templates will be easy to populate, utilizing a built-in library with multi-select options to choose what types of personal data categories are collected and processed by the organization, a picklist for various types of security measures organizations are undertaking to protect the data and selectable retention periods for the holding of certain types of personal data categories.
It would also be possible for organizations to import their existing privacy notices from an external source to within the portal. The system shall scan the imported notice (if it follows the prescribed format) and glean the information within it to pre-populate the privacy portal’s selections in the new template.
This portal shall be a collaborative space in which relevant stakeholders from different departments of the organization and external partners can be invited to share their insights to ensure the privacy notice is accurate and fully transparent.
This portal shall also help manage multiple privacy notices required by organizations that run numerous operations and thus need different privacy notices for each arm. Versioning will also be easily manageable, and the notices will be available in multiple languages with auto-translation features.
A built-in privacy notice banner in which the organization will add cookie collection details via various easy-to-fill forms.
Customizable, formatted, pre-populated sections on service providers, international transfers, children’s data, and data subjects rights will require some simplified inputs and an easy-to-use, collaborative review process to be published.

Privacy Notice Creation and Management Maturity Level 2

The signature automation of tasks and next-generation data intelligence found within PrivacyOps comes into play in the second maturity level.

Essentially, organizations will be able to use insights derived from the Data Mapping exercise and other PrivacyOps compliance exercises to update the information within their privacy notice in real-time. Thus, Maturity Level 2 allows organizations to create and manage multiple privacy notices seamlessly and effortlessly as changes in data collection or processing operations will automatically be detected and incorporated within the privacy notice in real-time and will be available for approval before final publication.

Features of PrivacyOps Privacy Notice Creation and Management within Maturity Level 2 include:

Changes in the organization’s data processing activities, the type of personal data categories collected or processed, and data processors used by the organization will be automatically detected via scheduled scans of data stores within the Data Mapping module. The website will reflect these updates within the pre-populated picklists in the privacy notice portal, and the system will send alerts to update the notice.
Organizations will be able to import and sync their cookie policy within the privacy notice by importing results from a live cookie scanner report. Scheduled Cookie scans will alert organizations if the cookie policy within the Privacy Notice is outdated.
The system would be able to link the Universal Consent Management module within the cookie policy section of the privacy notice for data subjects wishing to change consent preferences and the DSR portal in the Data Subject Rights Section for data subjects wishing to exercise their rights.
Periodic review alerts can be scheduled for the Privacy Notice to ensure it always remains up to date and transparent.

Incident and Breach Management

Data breaches are security incidents that lead to loss, alteration, illegal or unauthorized destruction or unauthorized disclosure of, or unauthorized access to personal data that is processed, stored, or transmitted by an organization.

How to Prevent a Personal Data Breach?

To prevent personal data breaches, organizations must implement appropriate security controls relevant to the circumstances of data processing. Such security controls may be preventative (security measures to limit the personal data breaches) and remedial (mitigation measures to limit the impact of a personal data breach that has happened) in nature.

Organizations must consider the following factors while choosing an appropriate security control for the protection of personal data:

**Nature, scope, context, and purposes of personal data processing:**The nature, scope, context, and purposes of data processing may affect the risks to the rights and freedoms of data subjects. For example, the more sensitive the data is, the higher the risk of harm will be. Even a small amount of highly sensitive personal data can have a high impact on an individual. Therefore, such factors must be taken into account while implementing a security control.
**Industry best practices around security controls:**Data security is a domain of professional expertise. Therefore, organizations must consider industry best practices in choosing an appropriate security control. For example, encryption is one of the industry-acceptable security measures.
**Costs of implementation of security controls:**A security control does not need to be exorbitantly expensive and organizations must consider the cost of implementation of security controls. Companies must financially invest in security measures and implement cost-determinative security controls.

In addition to the considerations above, an ideal security control must have the following abilities:

Restore the availability and access to personal data promptly in the event of a security incident.
Render the data unintelligible for any person who is not authorized to access it.
Ensure confidentiality and integrity of data processing systems and services

Despite security controls, security incidents will inevitably take place. However, not every security incident qualifies as a personal data breach and not every personal data breach is required to be notified to the regulatory authority and impacted data subjects. Therefore, every organization must have an effective and robust breach response management process. It must have a mechanism in place to determine when a security incident is considered a personal data breach, when a personal data breach needs to be notified, identify areas of improvement, and implement necessary remediation measures to reduce consequences on data subjects.

The Steps of a Breach Response Mechanism

Once a security incident has taken place, an organization must immediately respond to it. An effective breach response mechanism has the following steps:

**Containment of the security incident:**The first step is to contain the security incident immediately by trying to get lost information back, disabling the breached system, canceling or changing computer access code, or trying to fix any weakness in the organization’s physical or technical security. The containment of the security incident enables organizations to mitigate the risks posed to data subjects.
**Data Breach Assessment:**The second step is to determine whether the security incident qualifies as a personal data breach. The definition of a personal data breach differs from one privacy law to another, and therefore, the organization must conduct the data breach assessment relevant to its jurisdiction.
**Data Breach Risk Severity Assessment:**Once a personal data breach has been determined, the next step is to evaluate the severity of the potential or actual impact on data subjects as a result of the breach and the likelihood of this occurrence. This should be done by taking into consideration the nature of the harm that may be caused to data subjects, whether the breached personal data was sensitive, whether the breached personal data was protected by a security control and any other relevant factors. The data breach risk severity assessment enables organizations to determine their breach notification requirements.
**Breach notification:**After the data breach risk severity assessment, an organization is familiar with whether it is required to notify the breach to regulatory authority or impacted data subjects or both. It must fulfill its breach notification obligations within stipulated time frames to avoid any penalties and sanctions.
**Reviewing security controls:**After the occurrence of every security incident and personal data breach, the organization must review and update its data breach response mechanism. It must assess the effectiveness of security controls to prevent security incidents and data breaches in the future.

Breach Notification Requirements in Major Privacy Laws

Most global privacy laws require organizations to report personal data breaches to regulatory authorities and impacted data subjects. However, the threshold at which an organization is required to fulfill such notification requirements differs depending on the entity to be notified and the respective data protection law.

Let’s look into breach notification requirements of GDPR, CCPA, and LGPD:

The Challenges of Effective Breach Management

Failure to fulfill breach notification responsibilities may expose organizations to exorbitant amounts of fines and penalties. Therefore, an organization must have mechanisms and procedures in place of doing so. Organizations face several challenges while implementing effective data breach notification management.

Complex legal landscape Most global privacy laws require organizations to disclose data breaches. Based on the place of business and jurisdiction, an organization may be required to comply with several laws with unique data breach requirements. Also, regulations change often, leading to complexities in managing data breaches.
Time and resource-intensive Managing a data breach can be very time-consuming. Administrators spend hundreds of hours investigating data exposed, assessing risk exposure, developing a remediation plan, and notifying impacted stakeholders.
Inconsistent risk assessment Before an incident can be declared a data breach, organizations need to assess that incident’s impact and evaluate its risks. However, with several applicable laws, organizations do not have a consistent way to evaluate risks and determine if they qualify for any exceptions.Therefore, a comprehensive breach management product should assist organizations in managing the breach lifecycle promptly. It must offer a complete workbench to simplify incident workflow management, a built-in research database and automation to handle repetitive tasks with minimum disruptions.

Vendor Assessment

Vendor assessment provides a professional, independent, and systematic evaluation of how well an organization’s vendors or prospective vendors comply or is ready to comply with different global privacy regulations. It also provides a snapshot of vendors’ personal information handling practices, privacy and cybersecurity risks, security measures, and obligations under a specific privacy regulation. It consists of sets of questions divided into sections that address various aspects of the privacy compliance readiness of vendors.

Why Should Organizations Assess Vendors?

Today’s business trends indicate that organizations are embracing the digital revolution and are relying increasingly on vendors to fulfill their business needs and give themselves a competitive edge. As this reliance grows, so do the privacy risks. A recent Deloitte poll revealed 70 percent of respondents indicated a moderate to a high level of dependency on external entities that might include third, fourth, or fifth parties. The cross-sharing of consumers’ personal data across various vendor software raises security and privacy concerns.

Global privacy regulations, such as the California Consumer Protection Act (CPRA) and the General Data Protection Regulation (GDPR), were enacted to ensure stricter standards for handling consumers’ personal data. These regulations require organizations to assess vendor privacy risks thoroughly. A failure to do so can expose them to massive fines, reputational damage, and potential criminal liability. Therefore, unless a business can demonstrate all controls were in place and that it is “not in any way responsible for the event or actions giving rise to the damage,” it will be held liable for any damage caused by non-compliant vendor processors.

This becomes increasingly alarming as more and more organizations are becoming reliant on vendors. Therefore, it is paramount that organizations run a thorough assessment of these vendors and analyze their risks before entering a partnership with them.

Liabilities of Data Controllers and Vendors’ Non-Compliance Risks

The European Union’s General Data Protection Regulation:

Under the GDPR, the data controller is responsible for assessing its processor’s compliance with the GDPR’s requirements. This assessment takes into account the nature of the processing and the risks to the data subjects. Article 28(1) of the GDPR states that “where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.”

Although data controllers are primarily responsible for their processors’ GDPR compliance, this does not mean GDPR compliance isn’t a concern for the data processor or the vendor. Article 28(3) of the GDPR requires businesses to engage vendors for data processing with a written contract. The contract should set the subject matter, data processing duration, nature, and purpose of processing, the type of personal data and categories of data subjects, and the controller’s obligations and rights. Such a contract must stipulate that the vendor or processor will process the personal data only on documented instructions from the controller and other reasonable safeguards to ensure proper data privacy compliance under the GDPR.

However, a data controller would be primarily responsible for ensuring the compliance of its data processors. Regardless of the terms of the contract with a data processor, the data controller may face sanctions under the GDPR. Data controllers are also required to ensure data processors’ compliance on an ongoing basis to comply with the accountability principle and demonstrate due diligence under the GDPR.

Issues of Manually Assessing Vendor Privacy

To mitigate vendor security risks, organizations must implement a vendor risk evaluation process. However, manually assessing a vendor’s privacy risk can be inefficient, inconsistent, costly, and time-consuming. This labor-intensive process can lead to an organization suffering from assessment fatigue due to a lack of diligence.

Some of the challenges associated with vendor management include:

The PrivacyOps Solution to Vendor Assessments

To alleviate the challenges mentioned above, PrivacyOps requires a system-of-record, a system-of-knowledge, a system-of-engagement, and a system-of-automation to bring all vendors together in one place to communicate privacy needs and complete assessments with one platform. It provides the following capabilities:

System of Record maintains assessments completed by all vendors in the vendor assessment dashboard. It also keeps a detailed track of all new, existing, and retired vendors, including documents, contracts, and evidence of evaluation & vulnerability agreements for data protection.
System of Knowledge provides a collection of updated global regulations templates like GDPR, CCPA, LGPD, etc., along with ready-made and custom assessment templates, curated especially by the organization to meet their vendors’ needs accordingly.
System of Engagement and Collaboration provides automated support regarding data-collecting assessments and enables organizations to meet and communicate with various vendors on a single, highly-secured platform. Organizations can use vendor Explorer to locate vendors and request an assessment of their privacy ratings. The system automatically generates comprehensive reports through a workflow, which the team can audit on-site for input, review, and approval processes.
System of Automation and Insights enables the organization to establish and keep momentum by generating timely reminders for the vendors to complete and update assessments and follow the periodic vendor assessment requirements under several privacy regulations. It also allows the organization to create a structured follow-up for all their vendors to formulate their responses according to multiple regulations efficiently. In this automation system, organizations can analyze the risk of vendors both in terms of their likelihood and the severity of the consequences should they occur. Risks in vendor assessments can be triggered by conditional logic or a heat map in the assessment process. Organizations can also use the risk panel to view risks flagged by vendor responses quickly. Furthermore, the business can launch automated campaigns via the web console for internal discussions with just a few clicks for one or hundreds of vendors.

How Vendor Privacy Risk Monitoring and Ratings Work

As discussed earlier, controllers and processors must ensure that all vendor partners comply with regulatory privacy requirements. Most regulations mandate ongoing, periodic assessments to ensure privacy compliance guidelines are followed. In addition to getting a privacy assessment completed by a vendor and gathering evidence related to the vendor’s compliance, it is also beneficial to obtain an independent evaluation of a vendor’s privacy risk. This evaluation allows organizations to develop an effective strategy for data protection, risk management, and compliance.

Vendor Explorer capability in PrivacyOps is a library of personal data processors that have already been investigated and rated by the PrivacyOps research team. Organizations can use this tool to locate vendors by name and by their Rating. Organizations can also use the Vendor Explorer to quickly request that a vendor submit an assessment for them to evaluate. When assessing the risk associated with a vendor, PrivacyOps considers three main points; data protection practices of vendors, their privacy violations, and respect for consumers’ data.

The Privacy Score provides an independent view of privacy practices of a vendor, as calculated based on privacy statements and data available about a vendor.

Data Protection

Data protection comprises the vendor processes to protect the data that it collects, processes, and shares. This includes the technical and security measures that the vendor performs to protect the data. For rating and Privacy scores, the PrivacyOps research team assess risks around:

Data Collection: Analyze risks around the vendor’s data collection and use processes, including mandatory notification requirements under relevant privacy regulations. It also analyzes the ability to obtain explicit consent from users and the particular handling of underage consumers.
Data Storage: Analyze risks around the vendor’s data storage and data retention capabilities to understand how effective they are in keeping sensitive data safe and secure. Critical capabilities analyzed should include transport-level encryption, encryption at rest, access control mechanisms, fault tolerance, retention and backup capabilities, and forensic event logs for effective alerting, reporting, and policy actions.
Data Sharing: SaaS, IaaS, and PaaS vendors acquire volumes of data about their customers, which could be misused, leaked, or sold to other vendors, increasing its risk. It’s essential to review and understand how the data is analyzed or monetized by a vendor. Other critical risk factors to examine are the financial incentives baked into contracts and agreements to collect and sell personally identifiable information.

Privacy Violations

Knowing a vendor’s track record in maintaining its cybersecurity posture is essential to reduce its risk exposure. A good indicator of a vendor’s privacy health comes from the number of incidents resulting in a fine from a regulatory body or the number of data breaches experienced by the vendor. Little to no violations indicate a sound security posture score and rating. Any fines and breaches experienced by the vendor also indirectly harm the reputation of the business itself.

Respect for Consumers’ Data

A vendor’s ability to satisfy customer data requests for the data it collects and processes is a good indicator of its privacy program’s maturity. Assessing the vendor’s maturity in handling consumer DSR requests is essential for the vendor assessment exercise.

Responsible vendors incorporate privacy best practices into their design and development processes and offer tools and solutions to satisfy customer data requests within their SaaS products. These qualities are of significant operational value to the businesses and better vendor ratings.

To summarize, organizations must analyze all the aspects of their potential vendors concerning risk and security before choosing the right one. Organizations must assess the risks associated with their vendors before starting a relationship with them, as handling consumers’ personal data is a huge undertaking. This is a long, meticulous task that could seem inefficient and time-consuming. Organizations should implement PrivacyOps automation to make this process swift and productive with minimal error and complete compliance.

AI Governance

Significance Of The Artificial Intelligence

The rapid development of AI systems and models, particularly since the launch of ChatGPT in November 2022, has profoundly energized the business landscape in an unprecedented manner. Generative AI is revolutionizing industries with significant advances in productivity and new capabilities

Following are some examples of the unprecedented opportunities presented by the AI to the business world:

Automation for Efficiency: AI can automate repetitive tasks, leading to increased productivity and operational efficiency.

Data-Driven Insights: AI has the capability to extract valuable insights from large datasets, providing businesses with a competitive edge through data-driven decision-making.

Creative Problem Solving: AI can generate innovative solutions and ideas, even when provided with ambiguous or incomplete instructions, enhancing problem-solving and creativity.

Content Creation: AI can produce high-quality content swiftly and on a large scale, benefiting content marketing, advertising, and customer engagement.

Autonomous Decision-Making: AI enables levels of autonomous decision-making that were not possible with prior generations of AI.

Generative AI And Its Value

Generative AI is a category of AI that excels at creating new content after learning patterns in real-world data. When provided with inputs or prompts, various generative AI models can generate diverse types of content. Here are some examples:

Text Generation Models: Text generation models that have been aligned (typically through Reinforcement Learning from Human Feedback) include OpenAI ChatGPT, Google PaLM 2, and Meta LLaMA-2-Chat. These models are capable of unprecedented (albeit imperfect) capabilities instruction following that has led to their adoption across many industries. Particularly surprising are their abilities to perform zero-shot and few-shot learning, language translation, programming, and fluently generating meaningful content across a vast number of domains.

Text-to-Image Models: Certain generative AI models, such as those underlying Stable Diffusion, Midjourney, and DALL-E, can produce, extend, or refine images from prompts.

Text-to-Video Generation: Other models like Meta’s Make-A-Video can generate videos from prompts as well..

AI models with generative capabilities, e.g. ChatGPT, DALL-E etc., are also referred to by the regulators as ‘general purpose AI’ or ‘foundation models’. These AI models are trained on large sets of unlabelled data that can be used for different tasks with minimal fine tuning.

Two key technologies underlying the generative AI revolution are (a) transformers, and (b) diffusion.

Transformers are typically used in text data but can be used for images and audio. They are the basis for all modern Large-Language Models (LLMs) because they allow neural networks to learn patterns in very large volumes of (text) training data. The result is the amazing capabilities observed in text generation models.

Diffusion models have overtaken Generative Adversarial Networks (GANs) as the neural models of choice for image generation. Unlike the error-prone image generation process of GANs, the “simplified” image generation process of diffusion models works by iteratively constructing an image through a gradual denoising process. The result is a myriad of new AI-based tools for generating and even editing images with useful outcomes.

According to McKinsey, just generative AI has the potential to contribute between $2.6 trillion and $4.4 trillion to annual business revenues. More than 75% of this value is expected to come from the integration of generative AI into customer operations, marketing and sales, software engineering, and research and development activities.

Generative AI’s Need for Data

Data plays a central role in the development of generative AI models, particularly Large Language Models (LLMs). These models rely on vast quantities of data for training and refinement. For example, OpenAI’s ChatGPT was trained on an extensive dataset comprising over 45 terabytes of text data collected from the internet, including digitized books and Wikipedia entries. However, the extensive need for data collection in generative AI can raise significant concerns, including the inadvertent collection and use of personal data without the consent of individuals. Google AI researchers have also acknowledged that these datasets, often large and sourced from various places, may contain sensitive personal information, even if derived from publicly available data.

Let’s explore the common sources of data collection employed by generative AI developers:

Publicly-Accessible Data

The majority of training data for generative AI comes from publicly-accessible data sets. Web scraping is the most common method used to collect data. It involves extracting large volumes of information from publicly accessible web pages. This data is then utilized for training purposes or may be repurposed for sale or made freely available to other AI developers.

Data obtained through web scraping often includes personal information shared by users on social media platforms like Facebook, Twitter, LinkedIn, Venmo, and other websites. While individuals may post personal information on such platforms for various reasons, such as connecting with potential employers or making new friends, they typically do not intend for their personal data to be used for training generative AI models.

User Data

Data shared by users with generative AI applications, such as chatbots, may be stored and used for training without the knowledge or consent of the data subjects. For example, users interacting with chatbots providing healthcare, advice, therapy, financial services, and other services might divulge sensitive personal information. While such chatbots may provide terms of service mentioning that user data may be used to “develop and improve the service,” critics argue that generative AI models should seek affirmative consent from users or provide clear disclosures about the collection, usage, and retention of user data.

Considering their transformative potential, many organizations have also embedded generative AI models into their products or services to enhance their offerings. Such integration, in some cases, can also serve as a source of data, including the personal data of the consumers, for the training and fine-tuning of these models.

Significant Risks Associated With The AI

While the business world increasingly recognizes the immense and unprecedented value brought about by the advancement of AI systems and models, there is also a growing global concern regarding the immediate dangers and risks associated with the unregulated progress of this technology.

The very qualities that make AI systems and models, such as LLM models, appealing technological innovations also render them potentially the riskiest technologies if not developed and implemented with careful consideration.

In particular, the current capabilities of AI models to learn patterns in vast quantities of data and make their insights available through natural language interfaces has real potential for the following abuses:

Unauthorized mass surveillance of individuals and societies.
Unexpected and unintentional breaches of individuals’ personal information.
Manipulation of personal data on a massive scale for various purposes.
Generation of believable and manipulative deep fakes of individuals.
Amplifying while masking the influences of cultural biases, racism, and prejudices in legal and socially significant outcomes.

The risks posed by the rapid advancement of AI systems and models have become so pronounced that, in an unprecedented move in March 2023, 30,000 individuals, including some of the world’s leading technologists and technology business leaders, signed a letter urging global governments and regulators to intervene unless AI developers agreed to voluntarily halt or slow down the development of AI technology for a period of six months.

The Regulatory Response To AI

With the widespread adoption of AI models and systems in the business and commercial sectors, and the rapid evolution of their capabilities and applications, governments and legislators worldwide are taking swift action to establish regulatory controls on the use of AI. These measures aim to identify, mitigate, and oversee privacy and related risks associated with AI models and systems before they can cause significant harm to individuals. This proactive global response to AI is characterized by a concerted effort to strike a delicate balance between technological innovation, business potential, individual rights, and the broader societal good.

Governments and regulatory bodies are not hesitating to take action when AI models or systems become the center of controversy. Following are some of the examples of regulatory actions targeted AI developers and deployers:

Clearview AI

Clearview AI, a US company which developed an AI facial recognition algorithm based on photos scrapped from social media websites, was recently fined almost $8 million by the UK’s Information Commissioner’s Office for collecting personal data from the internet without obtaining consent of the data subjects. Similarly, the Italian data protection authority fined the company $21 million for committing breach of data protection rules. The authorities in Australia, Canada, France, and Germany have also taken similar enforcement actions against the company.

In the United States, through a lawsuit brought by the American Civil Liberties Union (ACLU) under the Illinois’s Biometric Information Privacy Act (BIPA), Clearview AI consented to stop selling its AI facial recognition algorithm system in the United States to most businesses and private firms across the U.S. The company also agreed to stop offering free trial accounts to individual police officers, which had allowed them to run searches outside of police departments’ purview.

Replika AI

The Italian data protection authority banned the Replika app, an AI chatbot developed by Luka Inc., from processing personal data of the Italian users. The company was also issued a warning to face a fine of up to 20 million euros or 4% of the annual gross revenue in case of non-compliance with the ban. The reasons for the ban cited by the regulatory authority included concrete risks for minors, lack of transparency, and unlawful processing of personal data.

ChatGPT

ChatGPT, a large language model-based chatbot developed by OpenAI, was banned by the Italian data protection authority and was only allowed to resume its operation once it established controls to comply with the GDPR provisions related to privacy notice, legal bases for data collection, and the data subject rights. Further, data protection authorities in Canada, Spain, Germany, and Netherlands have also initiated or have shown intention to initiate investigation proceedings to check the chatbot’s compatibility with data protection laws.

Thus, while the potential profitability of developing, using and deploying AI solutions is undeniable for global businesses due to the promised enhanced efficiency, unprecedented insights, and transformative growth offered by the technology, the regulatory landscape surrounding AI remains a tumultuous frontier, where vague legal frameworks and evolving global standards developing in real time create a unique compliance challenge and a risky business environment filled with potential liabilities. Thus, in this unmapped and uncharted landscape, businesses are confronted by the imperative to work hard to be the first to develop and deploy this game changing technology while navigating the regulatory maze carefully so as not to risk massive liabilities. Therefore, in such a pivotal juncture, the value of gaining insights into the regulatory obligations envisioned by global regulators cannot be overstated.

Regulatory Compliance Regime for AI

The AI regulatory compliance regime is evolving rapidly and varies from one country/region to another. So far, a number of countries have introduced and are in process of finalizing their comprehensive AI laws e.g., the European Union, Brazil, Canada, Japan, Singapore etc. Just like the General Data Protection Regulation (GDPR), the European Union’s AI Act is leading the way of comprehensive AI regulations and is expected to come into force by the end of 2023. Once enacted, the AI laws will require the business developing and deploying different types of AI to comply with a mammoth of compliance obligations.

Some of the global AI regulations are:

Canada Bill C-27 (AIDA) (under consideration with the Standing Committee on Industry and Technology)
New York Local Law No.144 (Law 144) (Enforcement began from 5 July 2023)
California Senate Bill 313 (pending with Senate Appropriations Committee for hearing)
Brazil Draft AI Law (under consideration)
EU AI Act (expected to come into effect in 2023)
Shanghai AI Regulation (came into effect on 1st October 2022)

In addition to AI regulations, various regulatory bodies have issued guidelines and compliance frameworks on AI such as the following:

NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0)
UK ICO’s AI and Data Protection Risk Toolkit
Singapore Infocomm Media Development Authority AI testing toolkit
Australian NSW AI Assurance Framework
European Commission guidelines on Ethical Use of Artificial Intelligence in educational settings
French DPA Self-Assessment Guide for AI systems
Spanish DPA Guide on machine learning
China Cyberspace Administration draft policy on Measures on the Management of Generative Artificial Intelligence
India Council of Medical Research Guidelines on the use of AI in biomedical research and healthcare
Vietnam draft National Standard on Artificial Intelligence and Big Data

Since generative AI is the most proliferating type of AI and relies on huge amounts of data for the training and fine-tuning of its models, the businesses dealing in generative AI may also be under an obligation to comply with applicable data protection laws due to the use of personal data within the AI system. For example, in the US, if a company is using its generative AI model as a chatbot in a videogame or other online service directed at children, the company must fulfill certain requirements under the Children’s Online Privacy Protection Act of 1998 in relation to children’s personal data. These requirements include providing direct notice and obtaining affirmative consent from the children’s parents before collecting and using children’s personal data. Similarly, the use of different types of AI for different purposes may be subject to various sectoral laws, guidance issued by the regulatory bodies, etc.

Considering the complex web of regulatory obligations, the business must take a proactive approach towards compliance to safeguard against potential liabilities and avail the unprecedented opportunities for growth and innovation offered by AI.

Based on the existing and upcoming laws and regulations, following are some of the primary compliance obligations and best practices for the businesses developing and deploying the AI:

Assessments

AI Classification Assessments

Organizations must be able to assess the class and category of the AI systems to identify the applicable regulatory compliance obligations. AI systems will be subject to different regulatory requirements depending on the risks.

AI Training Data Assessment

Organizations must assess that the training data is subject to appropriate governance measures and management practices.

AI Conformity Assessment

Organizations must ensure that the AI system undergoes relevant conformity assessment as per the applicable laws and regulations before being placed on the market or put into use.

AI System Cybersecurity Assessment

Organizations must assess that appropriate technical solutions are in place to ensure cybersecurity of the AI system.

AI related DPIA

Organizations must assess and identify the privacy risks posed by AI systems to data subjects and society and document and apply mitigation measures to reduce the identified risks. A DPIA is required for high-risk data processing activities.

Algorithmic Impact Assessment

Organizations must assess and identify the risks (other than privacy) posed by AI systems to data subjects and society and document and apply mitigation measures to reduce the identified risks.

AI Bias Assessments

Organizations must be able to assess AI systems for any inherent bias in their decisions/outputs by conducting equity assessments.

AI Provider Assessment

While importing an AI system on the market, organizations must ensure that the provider of the AI system has drawn up appropriate technical documentation as per the applicable laws and regulations.

Disclosures

Disclosure of the use of data for AI

The privacy notices of the organizations must inform data subjects if their personal data will be used in any AI system.

Disclosure of the logic of AI system

The privacy notices of the organizations must explain the logic of the AI system, the factors relied on by the AI system in making the decision.

Disclosure of the rights of data subjects in reference to AI

Organizations must also inform the data subject about their rights in relation to their personal data e.g., right to access, right to deletion, right to object/ opt-out etc.

Notification of High Risks associated with the AI System

Organizations must immediately notify the relevant entities about the high risks that an AI system presents to the health, safety, and protection of fundamental rights of the persons.

Notification of Serious Incidents or Malfunctions

Organizations must immediately notify the relevant entities about any serious incidents or malfunctions that constitute breach of obligations to protect fundamental rights.

Instructions of Use

Organizations must ensure that the AI system is accompanied by appropriate, accessible, and comprehensive instructions of use to enable the operation of the AI system transparent for the users.

Conformity Marking

Organizations must affix the conformity marking of the AI system to the accompanying documentation or in any other manner, as appropriate, in compliance with the applicable laws and regulations.

AI System Interaction Disclosure

Organizations must ensure that the natural persons are informed of the fact that they are interacting with an AI system.

AI System Operation Disclosure

If an organization uses an emotion recognition system or a biometric categorisation system, it must inform the natural persons exposed to these systems about their operation.

Artificially Generated/ Manipulated Content Disclosure

If an organization generates deep fakes, it must disclose that the content is artificially generated or manipulated.

Consent

Informed Consent

If an organization relies on consent as a legal basis to use personal data of data subjects for/ by an AI system, it must obtain informed consent of the data subjects for processing their personal data.

Right to object/ opt-out of personal data processing in context of AI systems

Data subjects must be provided with an opportunity to object to/ opt-out of the processing of personal data for/ by the AI system, including profiling.

Data Subject Rights

Right to object to/ opt-out of personal data processing in context of AI systems

Data subjects must be provided with an opportunity to object to/ opt-out of the processing of personal data for/ by the AI system, including profiling.

Right to appeal automated decision

Data subjects must be provided with an opportunity to appeal any automated decision making and ask for a human review.

Right to access in context of AI systems

Data subjects must be provided with an opportunity to access their personal data being used for/ by AI systems.

Right to correction in context of AI systems

Data subjects must be provided with an opportunity to rectify the inaccurate personal data used for/ by the AI system

Right to delete in context of AI systems

Data subjects must be provided with an opportunity to have their personal data deleted from AI systems and any other database which will be used for/ by an AI system.

Right to data portability in context of AI systems

Data subjects must be provided with an opportunity to receive personal data in a structured and machine-readable format and to transmit the data to another organization.

Security

Data Security

Organizations must protect personal data being used by the AI system through technical measures.

System Security

Organizations must protect the AI system from unauthorized access, manipulation by bad actors through technical measures.

Internal and Environmental Resilience

Organizations must ensure safety of the AI system from errors, faults, or inconsistencies within the system or the environment in which it operates.

Redundancy Back ups and Failsafes

Organizations must ensure robustness of the AI system through technical redundancy solutions, including back up or fail-safe plans.

Data Poisoning Protection

Organizations must ensure to have technical solutions for protecting the AI system against attacks trying to manipulate the training datasets (data poisoning).

Adversarial Examples Protection

Organizations must ensure to have technical solutions for protecting the AI system from attacks involving inputs designed to cause the system to make a mistake (adversarial examples).

Model Flaws Protection

Organizations must ensure to have technical solutions for protecting the AI system from attacks involving inputs designed to exploit model flaws.

Governance

AI System Classification

Organizations are required to classify their AI systems based on their purposes and the level of risk posed by them.

AI System Documentation

Organizations are required to draw up and keep up-to-date technical and other important documentation of the AI system.

AI Logic Audit

Organizations are required to document and monitor the AI system’s logic and factors that it uses to achieve end results.

AI System Data Mapping

Organizations should be able to map the data assets, processes, vendors and third parties involved with the AI system.

Quality Management System

Organizations must put in place and document a quality management system to ensure compliance with applicable laws and regulations.

AI Risk Register

Organizations must establish, document, and implement a risk management system to evaluate the known and foreseeable risks associated with the AI system and take appropriate mitigation measures.

Data Governance Controls

Organizations must ensure that data/personal data being used in AI system adheres to principles of data minimization, purpose specification, and data retention.

Training Data Controls

Organizations need to be able perform certain operations on the data/personal data being used to train the AI System (bias removal, anonymization).

AI Output Filters

Organizations need to be able to monitor output results in real-time to detect any release of personal data in the output results.

ROPA Reports

Organizations must be able to audit and demonstrate to regulators the use of assets, data/personal data, processes and vendors used by AI systems.

Human-Machine Interface/ Oversight Tools

Organizations must design and develop AI systems with appropriate human-machine interface tools to enable effective human oversight.

Operational Monitoring System

Organizations must be able to actively monitor the operation of the AI system throughout its lifecycle to ensure regulatory compliance.

Feedback Loop Monitoring

Organizations must be able to monitor feedback loops and take appropriate measures.

Algorithm Deprecation/ Disgorgement

Organizations must be able to retain versions of the AI system to be able to deprecate/claw back/disgorge the AI algorithm by removing illegal data and the learning obtained from it.

AI Event Logs

Organizations must keep the event logs for an AI system and must be able to provide access to the regulatory authority to these logs upon request.

Declaration of Conformity

Organizations must draw up a declaration of conformity for their AI systems to demonstrate compliance with the applicable laws and regulations.

Registration of AI System

Organizations must register their AI systems with the relevant databases as per the requirements of the applicable laws and regulations

How Can PrivacyOps Help In AI Governance?

The mapping of existing as well as upcoming regulatory obligations provides a roadmap for businesses to understand the compliance expectations of major global regulators from AI developers and deployers. Businesses must begin to develop technical capabilities, policies and procedures to ensure they can continue to develop and use AI systems and models while avoiding potential legal pitfalls which may arise in the future.

PrivacyOps is the perfect solution for the organizations aiming to achieve AI governance. It refers to the combination of philosophies, practices, automation, and orchestration that increases an organization’s ability to comply with a myriad of laws and regulations reliably and quickly. It evolves an organization from traditionally manual methods across various functional silos to full automation in a cross-functional collaborative framework.

With its proven value for the organizations in relation to global comprehensive privacy laws compliance, the PrivacyOps – the AI-powered robotic automation framework – is the best approach to achieve the complex AI governance without having to fear liabilities and regulatory risks.

Let’s look into some of the steps PrivacyOps can help automate and ensure compliance with global AI regulations and achieve AI governance.

Step 1: Classify AI systems and Assess risks using Automated Assessments

Automated Assessments can help organizations assess the risks of their AI systems at pre-development, development and post-development phases and document mitigations to the risks.

Step 2: Secure AI systems using Automated Data Security and Data Access Governance

Automated Data Security controls can help organizations ensure that there are proper safeguards to protect AI systems and the data involved from security threats and unauthorized access.

Step 3: Monitor and clean input data using Data Mapping and Sensitive Data Intelligence

Automated data mapping and sensitive data intelligence can help organizations catalog training data in order to ensure bias removal, anonymization, removal of sensitive personal data, removal of obsolete data as well as ensure the data is accurate and minimized as per applicable data protection standards.

Step 4: Disclose AI systems related details to data subjects using Privacy Notice Creation & Management

Automated privacy notice creation and management can help organizations publish AI systems related disclosures to data subjects in their privacy notices with explanations of what factors will be used in automated decision-making, the logic involved and the rights available to data subjects.

Step 5: Obtain consent and honor opt-outs from data subjects using automated consent management

Automated consent management can help organizations obtain data subjects’ consent for automated decision-making or provide data subjects the right to opt-out of their personal data being used by AI systems at the time of collection of their personal data.

Step 6: Fulfill Data Subject Rights using automated Data Subjects Rights Fulfillment

Automated data subjects’ rights fulfillment allow organizations honor data subjects’ rights to access their personal data which has been processed by the AI system, the logic involved and the outputs it created based on the process. It also allows organizations to honor individuals’ requests to delete their personal data from AI data systems, opt-out and appeal any decision made by an AI system or obtain human intervention.

Step 7: Demonstrate Compliance and Audit using Data Mapping and Sensitive Data Intelligence

Automated Data Mapping can help organizations monitor AI systems by allowing them to know what personal data/sensitive personal data is fed into the AI system, show that it is complying with its intended logical parameters and bias removal mechanisms, demonstrate compliance to regulators, produce ROPAs and maintain event logs.

The Need for Effective Data Privacy Management Today

With over 120 countries legislating new data privacy laws and regulations similar to the GDPR and CPRA, the need to implement a comprehensive PrivacyOps framework in organizations is urgent. Regulators have consistently punished corporations with hefty fines for non-compliance, and soon, every major country in the world will enact its Privacy Law. Privacy awareness among consumers is also rising, and more consumers are now concerned about their privacy than ever before.
Many companies are now responding to the growing concern for data privacy by taking the lead to ensure that their consumers’ trust is not compromised. Labeled as the ‘trust wars,’ organizations are now positioning themselves as privacy champions to stand out amongst their competitors to the general public. Thus, it is smart business to invest in data privacy compliance and use state-of-the-art technology to ensure the consumers trust their personal data is secure with the organization.
Finally, while personal data processing continues to drive innovation and business in the modern world, many now consider protecting, secrecy, and management of an individual’s personal data to be a new, emerging, and fundamental human right. Organizations must revamp their compliance operations with personal data to reflect this new paradigm and reality.

Why Existing Data Privacy Management Practices are Obsolete

But with different laws and regulations setting additional requirements, privacy compliance is also becoming a complex problem for organizations that collect, process, share, or sell millions of individuals’ personal data. With each jurisdiction varying in the specifics, tasks such as completing a data subjects’ rights request or updating a compliant privacy notice are becoming impossibly difficult for organizations through existing data privacy management models.

These factors make manual compliance with privacy laws expensive and complicated.

These are the disadvantages of manual compliance:

Too many people are needed to manually search data stores for personal data and complete a DSR report: = The organization would require a considerable workforce.
Humans require a lot of time to search data stores for personal data of data subjects manually = Lots of time wasted.
Different global laws have requirements (breach notifications or privacy notices), requiring expensive geo-specific compliance and legal experts = Too much cost.
Strict deadlines within global data privacy laws and regulations coupled with an active enforcement pattern from enforcement authorities and rising consumer concern on data privacy issues = Too much risk.
Different teams’ requirements to participate in data privacy compliance using manual tools can lead to disorganized compliance and risk data sprawl.
Need for a secure collaborative workspace or portal that can streamline compliance activities.

How Securiti Helps Simplify Data Privacy Management

Securiti uses award-winning and innovative AI-powered robotic automation and data intelligence to develop a range of products that follow the philosophy behind PrivacyOps compliance. Using a secure privacy portal and multiple connected modules, organizations can use Securiti’s suite of Privacy solutions to implement a robust PrivacyOps framework.

Data Mapping

With advanced Data Mapping software, organizations can automate ****data discovery, dynamically update data catalogs, trigger new assessments, and update their risk register. Data Mapping solutions can also initiate PIAs & DPIAs, generate RoPA reports, generate visual data maps for real-time data monitoring, and give real-time insights into risks related to data processing activities.

Data Subject Rights (DSR) Request Fulfillment Automation

A DSR solution enables organizations to fulfill data requests within the stipulated time. Organizations can use a secure portal to receive and verify DSR requests, automatically link Personal Data to individual identities using AI, collaborate on tasks in a secure portal, save comprehensive records for regulatory review, and use robotic assistance to fulfill requests.

Consent Lifecycle Management

Use the Universal Consent Management solution to capture consent and honor revocations effectively. According to the respective region, the Cookie Consent Management solution helps organizations automatically scan and categorize cookies, display personalized consent banners, and honor revocations via the preference center. The consent solution also maintains updated consent records to demonstrate compliance with regulations.

Sensitive Data Intelligence

The Sensitive Data Intelligence solution provides several capabilities in a single platform.

Using this solution, organizations can:

Discover sensitive and personal data across any structured, or unstructured assets.
Build a catalog of all shadow & managed data assets.
Enrich sensitive data catalogs with privacy, security, and governance metadata.
Enrich the sensitive data catalog with automated classification and tagging.
Discover and centralize sensitive asset and data posture.
Visualize and configure data risk.
And finally, the SDI solution can help organizations build a relationship map between data and its owners.

Privacy Notice Creation and Management

Utilize a secure portal and expert-made templates to publish and manage multiple privacy notices. The portal incorporates various global privacy regulations and enables data subjects to manage their rights. Organizations can also automatically update their privacy notices when new personal data categories, processes, or cookies are discovered within their data stores.

Incident and Data Breach Management

Organizations can scan affected datastores after an incident to discover data subjects’ personal data and impacted jurisdictions. This solution helps organizations streamline the notification process and take immediate remedial steps to comply with the applicable global data privacy laws.

Vendor Assessments

Organizations can evaluate the privacy risks of third parties using smart assessment tools. These tools enable organizations to collect assessment information from third parties. It also enables collaboration among stakeholders, automates follow-ups, and provides compliance analytics.

Assessment Automation

Using this solution, organizations can audit once and comply with multiple regulations.

The solution also helps organizations to:

Collaborate and track all internal assessments in one place.
Develop a comprehensive knowledge base of global regulatory requirements.
Have a single repository of all internal assessment responses and documents.
Easily share completed assessments with customers and partners.
Automatically assign tasks and follow-ups from relevant stakeholders.
Finally, the assessment automation solution helps organizations collaborate with subject matter experts, across functions, on one privacy platform.

To see all that you have learned in this course in action, please visit us at https://securiti.ai/

Privacy Reading:

https://securiti.ai/knowledge-center/

GDPR compliance checklist - GDPR.eu

Overview: Introduction to the PrivacyOps Certification - Securiti Education

IBM Data Privacy for Information Architecture

Data Privacy Fundamentals

This course helped me to understand how to combine different techniques within image generation especially MultiControlNet. But not only this subject worse to participate in this course.

Introduction

I almost skip the explanation how to install and set Automatic111 since I am running pipes locally. But still, I discovered openpose-editor extension and it’s repo. Openpose is one of the features required project I am working on and joined this course.

Another important knowledge about CLIP Interrogator.

CLIP works for both image creation using prompt and prompt ‘extraction’ from image:

- classic case when we are writing prompt and expecting to get images based on it. CLIP runs on background, analyze tokens or prompt and generate image representation;
- advanced case when we have an image and want to know using what prompt it was generated, get some description of image.

Of course there are different versions of CLIP and they have its benefits in various cases.

Advance Image Generation Part One

Textual Inversion is fine-tuning of Stable Diffusion with custom data. We can train new TI embedding per use case or used opensource.

There are positive and negative TI.

- for positive, adding embeddings name and weight to prompt, for example:
  
  portrait of woman SCG768-Euphoria:0.3
- for negative, there is pretrained easynegative.pt and example of use:
  
  easynegative:0.5 and badhandv4:0.5
As usual, compatibility of TI and different Stable Diffusion is important to be analyze before generating.

Textual Inversion

LoRA is technique for fine-tuning large language models. It freezing pre-trained model weights and injecting trainable layers in each transformer block, reduces the number of trainable parameters and GPU memory requirements.

Lora is a hybrid of Dreambooth and Textual Inversion. It modifies the model like Dreambooth (but not entirely), so it retains the right information while remaining flexible and lightweight, allowing it to be used with any model, similar to Textual Inversion.

Again, LoRa can be trained with custom data or used external embedding as:

"lora:epiNoiseoffset_v2": "81680c064e", "lora:iu_V35": "c9598ba347", "lora:analogDiffusionLora_v1": "b3db478ff8"

LoRA

Custom Models - Fine-Tuned and Merged Models

There are two primary methods in Stable Diffusion to intended for generating general or a particular genre of images: Merging and Training

Training or fine-tuning a model. Typically using the Dreambooth method, it involves introducing new images to the model, allowing it to learn and adapt to new concepts. This method is beneficial when you want the model to recognize and understand new types of data or scenarios. However, training a model can be time-consuming and computationally intensive.

Merging involves combining two or more existing models to create a new one. These merged models, also known as "mixes" or "checkpoint merges", use different mix ratios to blend the models. The resulting output retains elements from each of the original models, providing new insights or perspectives. Merging models is advantageous because it is easier and faster than training a model from scratch (from ‘0’).

We can download custom ready-to-go model on Huggingface or Civitai and utilize it (StableDiffusionXL, Flux etc all are custom checkpoints) or fine-tune an existed model, like DreamBooth.

Google Colab

Custom Diffusion

To do: how to merge models?

CLIP skips

The CLIP model's text embedding is composed of layers, with each layer becoming more specific than the previous one. Example:

The 1.5 model, for instance, goes 12 ranks deep, with the 12th layer being the final layer of text embedding. Each layer has a matrix of a certain size, and each subsequent layer has additional matrices. The text space is enormous, making it challenging to navigate.

You might want to stop earlier in the CLIP layers if you're not concerned about the subcategories of a particular concept. For instance, if you want an image of "a cow" you may not care about the specific breed of cow.

CLIP skips is essentially a setting that allows you to control the text model's accuracy. You can test this using the XY script (in Automatic111 repo) and observe how the images generated become more specific as you delve deeper into the CLIP layers. For a detailed prompt describing a young man standing in a field, a lower CLIP stage might generate an image of "a man standing" while a deeper stage could produce "a young man standing in a field"

CLIP skip only works with models that use CLIP or are based on models that use CLIP, such as the 1.x models and their derivatives. The 2.0 models and their derivatives do not interact with CLIP, as they use OpenCLIP instead.

By understanding the CLIP model structure and the concept of CLIP skip, you can generate images with varying levels of detail and specificity based on your requirements, optimizing your model's performance for your specific use case.

For example, clip skip: 2 parameter means clip stops at level 2.

Variational Autoencoder (VAE)

VAEs can enhance the rendering of eyes and text, where fine details are crucial. Stability AI released two variants of fine-tuned VAE decoders, EMA (Exponential Moving Average) and MSE (Mean Square Error). The EMA variant produces sharper images, while the MSE variant results in smoother images.

We don't need to install a separate VAE file to run Stable Diffusion, as any models we use, whether v1, v2, or custom, already have a default VAE. However, improved VAEs can provide better image reconstruction by recovering fine details more effectively.

Additionally, many custom models will already have a "baked" in VAE. Often noted in the model's name or description.

For example, to use the external VAE for more accurate generation, can download it from Huggingface and stabilityai/sd-vae-ft-ema · Hugging Face put under “VAE SD”.

AI Image Editing

Stable Diffusion Inpainting - process of filling in missing or damaged parts of an image. This cutting-edge technique is often employed to remove unwanted objects from an image.

See also my general explanation what is inpainting.

Inpainting models include:

- Context-awareness - designed to understand the context of the image, which allows them to generate more accurate and visually coherent results.
- Handling lighting and shadows: Specialized inpainting models are equipped to handle various lighting conditions and accurately reproduce shadows in the inpainted area
- Edge-aware processing: designed to preserve and maintain the integrity of the edges in the image, preventing hard edges or discontinuities. By effectively handling edge information, the inpainting process generates smooth transitions between the inpainted area and the surrounding region.
- Adaptive learning: specialized inpainting models are capable of adapting and improving their performance based on the input data. This enables them to produce better results over time as they learn from a variety of image scenarios and challenges.
🔆 Benefits of inpainting

For example, consider an image with a resolution of 512x768 pixels. If we want to inpaint a face within the image but require more detail and definition, we can increase the resolution to 1024x1536 pixels before applying the inpainting technique. The inpainting algorithm will work at the higher resolution, generating more detailed results for the area of interest. Once the inpainting process is complete, we can then downscale the image back to its original resolution of 512x768 pixels.
- Inpainting settings
  - Resize Mode - if the aspect ratio of the new image is not the same as that of the input image, there are a few ways to reconcile the difference. Used more for img2img and not inpainting.
  - Just resize - scales the input image to fit the new image dimension. It will stretch or squeeze the image
  - Crop and resize - fits the new image canvas into the input image. The parts that don’t fit are removed. The aspect ratio of the original image will be preserved
  - Resize and fill - fits the input image into the new image canvas. The extra part is filled with the average color of the input image. The aspect ratio will be preserved
  - Just resize (latent upscale) - is similar to “Just resize”, but the scaling is done in the latent space. Use denoising strength larger than 0.5 to avoid blurry images
- Mask Blur:
  - Higher the blur the more the AI will try to blend and blur the new inpainted image to the original image, reducing the "hard edge"
- Mask Mode:
  - Inpaint Masked - changing what has been "painted" in
  - Inpaint not masked - changing everything that has not been painted
- Masked Content - determines content is placed to put into the masked regions before they are inpainted. This does not represent final output, it's only a look at what's going on mid-process
  - fill - Initialize with a highly blurred of the original image
  - original - will take into account and use the original image underneath the mask (Used 90% of the time)
  - latent noise - Will not use any part of the image that is underneath the mask. Filling the area with complete random noise. . IMPORTANT NOTE: Be sure to use a higher denoising strength when using this option.
  - latent nothing - similar to laten noise, except just filles the area with no noise or nothing
- Inpaint Area
  - Whole picture - It will render the masked area with the whole image each time. Keeping the same resolution as the whole image.
  - Only Masked - It will render only the masked area and not the whole image. Meaning we could render a new face at a high resolution then the original image
    - Only masked padding, pixels - Padding is the area around the outside of the mask. Pixels is the "measurement or distance" we want to extend the padding. Larger the padding means the model will be able to "see" more pixels around the masked area to use for the generation.
- Denoising Strength:
  - Slider between 0 - 1: The denoising strength tells the model how much we want to change the original image. 0 meaning zero changes will be made and 1 meaning it is a completely new image. 0.6 to 0.8 are usually really good starting points.
The outpainting feature in Stable Diffusion allows users to extend the image and add additional elements. This feature considers the existing visual elements of the image, such as its background, shadows, reflections, and textures. Users can create larger images or recreate famous paintings by using different painting techniques and adding more pixels to fill in gaps and create the illusion of depth.

The Outpainting tool can be used to correct cut-offs, off-center subject matter, and to combine frames with subjects to create new images. It can also be used to expand an image's view and add textures, shadows, and other visual elements while preserving the context of the original photo.

Stable Diffusion Outpainting

The outpainting feature in Stable Diffusion allows users to extend the image and add additional elements. This feature considers the existing visual elements of the image, such as its background, shadows, reflections, and textures. Users can create larger images or recreate famous paintings by using different painting techniques and adding more pixels to fill in gaps and create the illusion of depth.

The Outpainting tool can be used to correct cut-offs, off-center subject matter, and to combine frames with subjects to create new images. It can also be used to expand an image's view and add textures, shadows, and other visual elements while preserving the context of the original photo.

See also my general explanation what is outpainting
Advance Image Generation Part Two

ControlNet

Control Net, in simple terms, a neural net architecture that's revolutionizing the way we interact with stable diffusion models. By allowing us to introduce extra conditions, ControlNet is pushing the boundaries of what's possible in this fascinating field of study. From image generation to animation creation, ControlNet opens up a whole new world of possibilities.

I love explanation I gave to ControNet - it controls what and how StableDiffusion works.

Control Poses

To Control Poses is widely useful OpenPose model and ControlNet. There are various types of what to recognize and process: whole body, face only, hands only or using depth model for whole body detection.

ControlNet Lighting

In combination with Depth model it generate images with simulation of different light sources and from different sides.
AI Animations

Animation was not in scope of my projects, so I just fast review it.

Page updated

Google Sites

Report abuse