THE first legally binding international treaty on privacy and data protection was signed 43 years ago. The authors who gathered in 1981 could hardly have imagined the explosion of data (and its misuse) in the following years, through the emergence of Big Data, the World Wide Web, social media and, undoubtedly, the popularisation of generative AI in 2023.

This year’s Data Privacy Week (Jan 22-27), an international initiative to promote awareness of data privacy and data protection, calls on us to “take control of your data” and urges us to pay closer attention to when we are sharing personal information and what value we are getting in return.

But the real power and responsibility to take control of data for the common good lies with industry, with the organisations that collect our data, not with the users of their products and services.

Here are some tips for organisations on how best to manage data privacy:

1. Capture the context

Privacy is conditional by nature. We agree to share our data under certain conditions but otherwise keep it private. For example, I might be happy for a bank to use my data to develop algorithms that detect fraud, or to offer me relevant products, but at the same time I can withhold consent to share my data with third parties that want to market to me.

A rich set of factors make up the context for data usage: what information is in the dataset? Does it contain personally identifiable information? Why was it collected? Where does it come from? Who will have access to the data? Where will it be stored and processed? How will the results of data analysis be used?

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Capturing detailed contextual information is critical, but the data management tools to achieve this are already available for business to use. Data catalogs provide rich descriptions of the data elements. Classification tools assign meaning to data and detect sensitive information. Data marketplaces provide transparency around requests for access to data, capturing who is asking and what they will use it for.

2. Build policies as a system of record

Ad hoc decisions about data access can be slow, inefficient, subjective and error-prone. They offer little evidence to support and defend decisions later. Instead, policy-based approaches reduce risk and bring consistency in the process.

Policies define the actions that should be taken to protect data whenever access is requested for a specific context. They encode an organisation’s approach to data privacy, providing greater transparency and auditability of data use.

3. Reduce risk with privacy-enhancing technologies

The situation is rarely as simple as allowing or rejecting access to entire datasets. As best practice, access should be limited to the fields and records that are required for a specific project. Companies can further contextualise the sharing of data and enforce policies at scale using fine-grained access controls, de-identification and privacy enhancing technologies.

Data that directly identifies an individual, such as customer account numbers, can be replaced with a pseudonymous value with no direct link back to the individual. Indirect identifiers like date of birth, gender and location data can be generalised to lose their specificity without losing their value in data analysis. For example, provide an age range rather than specific date of birth.

Other, more nascent privacy enhancing technologies go further to enable safe data sharing. Examples include fully homomorphic encryption (FHE), allowing computation on encrypted data, and differential privacy (DP), which ensures the output of a computation reveals nothing specific to any particular individual.

4. Automatically enforce data access policies

Policies allow for a high degree of automation, ensuring that the same access decisions and privacy transformations are applied in similar scenarios. The full benefit can be realised when policy enforcement is built into all the processes a company uses to move and share data. Then privacy is baked into the process for every use of data by default.

5. Broaden access to data

Data privacy is an enabler. The data-driven economy depends on the confidence of individuals that they truly retain control over how their personal data is used, safely and appropriately, in business activities like data science and AI. The rewards for responsible organisations include product innovation, service improvements, efficiency gains, informed business and policy decisions, better relationships with customers, happy employees and more.

Businesses can respect privacy while reaping the benefits of data, analytics, and AI, even with the recent explosions in data volume and complexity. Data Privacy Week is the perfect time for companies to review their data position and make improvements that will help benefit all stakeholders.

The writer is vice-president of privacy and security at Informatica