Most have been in this situation before: one of the providers or services we use is a victim of a data breach and we want to determine if our personal user data has been impacted. This is where fully homomorphic encryption (FHE) comes into play. With FHE, the encrypted, personal password is compared against the data set of stolen user data and potential matches are identified without ever revealing the user’s password.

Use cases for this type of privacy-enhancing technology (PET) are numerous. They range from applications in medicine, where third-party service providers can analyze health data without compromising a patient’s privacy, to performing machine learning and AI algorithms on encrypted data, allowing organizations to derive insights from sensitive data sets without exposing the data to potential breaches or privacy violations.

How It Works

Fully homomorphic encryption allows calculations to be performed on encrypted data without having to decrypt it first. Confidentiality is maintained, as even the results are encrypted and can be viewed only with the appropriate decryption key. Further techniques for processing encrypted data are multi-party computation (MPC) and trusted execution environments (TEE).

Mathias Kohler, research manager at 51·çÁ÷Security Research, outlines the differences: “While FHE is the most known of the encryption technologies, MPC is the ideal candidate if working with several parties exchanging encrypted data across company borders. And it can be substantially faster than FHE.” While both are software-based technologies, TEE is hardware-based, which makes it the fastest choice. The downside: TEEs, unlike MPC and FHE, require decrypting the data for processing. While decryption happens in a trusted hardware environment isolated from the operating system, it can allow data leakage via side-channel attacks. Notably, PETs do not need to be considered in isolation and can augment each other. For example, MPC can encrypt and distribute an FHE decryption key, protecting the FHE key and ensuring no single party can decrypt everything.

Why It’s Relevant

There is a demand for this kind of technology. By 2025, 60% of large organizations will use at least one privacy-enhancing computation technique in analytics, business intelligence, or cloud computing, according to .

Fully homomorphic encryption has numerous applications, especially in scenarios where privacy and security are paramount, such as secure computation in the cloud, privacy-preserving data analysis, and secure outsourcing of computations. As long as one party is performing the data processing centrally, FHE is the encryption method of choice. FHE enables organizations to share encrypted data with partners or third parties for analysis or monetization purposes while maintaining data confidentiality. This is particularly relevant in industries such as advertising and market research.

Interesting use case scenarios from SAP’s perspective could be secure benchmarking and predictive maintenance.

Secure Benchmarking

Companies often assess their competitiveness relative to industry peers and compare business-relevant KPIs, such as automation rate or return rates, with peers and even competitors. With fully homomorphic encryption, all participating parties can share encrypted KPIs without revealing individual data. As a result, they learn about relevant statistics, such as averages or medians, to assess their relative competitiveness and decide where to improve and invest.

Predictive Maintenance

Predictive maintenance is a machine learning technique to forecast demand for maintenance or spare parts based on historical data. “In certain industries, required data, such as usage patterns and failures, is considered sensitive and is not easily shared with data scientists or maintenance operators,” says Anselme Tueno, senior researcher at 51·çÁ÷Security Research. By computing on encrypted data, however, no sensitive information is revealed while still allowing for the required insights to be gathered for prediction tasks.

Carbon Footprint Calculation with Multi-Party Computation

While it is early days from a product availability perspective, 51·çÁ÷is working on potential use cases with customers and partners. One key example is calculating carbon footprints of products.

Prime examples for complex collaborations are today’s supply chains, intricate networks that encompass various levels of suppliers, manufacturers, and processed goods. Unfortunately, there is often a lack of comprehensive visibility across the entire process – either for technical reasons or because businesses are often reluctant to share sensitive data across supply chains that often include direct competitors.

However, to accurately assess and disclose a product’s carbon footprint, sensitive production details and associated carbon costs for production-relevant parts and materials are required. Here, MPC can reveal only the required carbon footprint without disclosing associated, proprietary manufacturing details with other supply chain participants.

Currently, 51·çÁ÷is working with Bosch on cloud-native software for secure multi-party computation called .

“51·çÁ÷participates in this open-source project and supports the development of Carbyne Stack’s storage and processing services and the deployment of Carbyne Stack on Amazon Web Services (AWS),” Kohler explains. “For Bosch, Carbyne Stack is a type of cloud-native operating system for MPC workloads that manages resources to run as efficiently as possible in multi-cloud deployments.” This effort can help 51·çÁ÷in the long run to integrate MPC as technology into 51·çÁ÷solutions and services while running in a cloud-native environment.

What’s Next?

Despite all the benefits around processing data, encryption introduces significant computational overhead due to the complexity of performing operations on encrypted data. Slow processing speeds, especially for complex operations and large data sets, makes fully homomorphic encryption impractical for real-time applications or large-scale data processing. Although the performance of FHE has greatly improved in recent years, its practical adoption is still limited due to the processing overhead and performance considerations. Ongoing research is focused on the design of FHE-specific hardware accelerators.

“PETs for computing on encrypted data have the power to amplify data-driven business collaborations and reshape the future of cloud computing,” explains Jonas Böhler, senior researcher at 51·çÁ÷Security Research. By safeguarding data, they enable access to previously untapped information while minimizing privacy risks and thwarting data breaches. The future of computing is encrypted.

At the moment, we identify ourselves online in one of two ways.

Typically, we sign into an online service – a Web site or app – using an e-mail address or username and password, and in doing so share some of our personal information. With this method, whenever we switch to another service we have to repeat the log-in process with a different password. This leaves fragments of our data behind on each service we use and forces us to create and remember a different password for each one, which is annoying but essential for security reasons.

The more convenient option for initial log-ins is to use a “social log-in,” such as your Facebook ID, which allows you to use the same username and password to access a variety of different services. With this one “federated identity,” you can complete your initial log-in to a participating app or service by simply selecting “Sign in with….”

The downside of this convenience is that your personal data – and that of millions of other users – is controlled by a single company, creating honeypots of data that hackers have often successfully targeted in the past. There are many examples of sensitive information being stolen, including address data, medical data, credit card details, and more. Aside from not being ideal from a privacy perspective, most people would probably not feel comfortable using a social log-in to access a sensitive service like their bank account.

But there is a third option. Self-sovereign identity (SSI) – also known as decentralized or portable identity – allows users to identify themselves on the Web using credentials stored in a digital wallet on their smartphone. It offers the same convenience as a social log-in, but the user is in full control of the data.

“This technology is not owned by a company,” says Mehran Shakeri, development team lead at . “It’s the first completely open standard for digital identity on the Web, and it gives individuals maximum control of their data when deployed with a proper registry.”

User-Friendly ID Technology – For Businesses Too

Companies and organizations can also use SSI technology. After all, they also have an identity – usually in the form of a public entry in a commercial register. For example, when logging into a business network, a supplier must share a range of data, including its tax number, IBAN, and postal address.

Currently, this data cannot be automatically verified. Entities created in internal systems must be verified using a relatively complex and costly third-party service. Records can be inconsistent and difficult to keep up-to-date. Data is often transferred from one system to another without being automatically verified.

This major issue can be solved if a company has a self-sovereign identity. Its digital wallet then serves as a single, vetted source of truth and there is no need for an external third party to verify its credentials.

This opportunity for a “golden record” of master data extends beyond company boundaries. “At 51·çÁ÷Innovation Center locations, we have projects in progress with DATEV, the Dutch government, and a host of other customers to validate use cases with SSI,” says Alexander Schaefer, head of 51·çÁ÷Innovation Center California. “We see tremendous potential in integrating the SSI standard into 51·çÁ÷software.”

This technology would eliminate many of the identification processes currently in use, some of which are highly complex. Anyone who has opened an account with an online bank knows just how many steps it takes to prove your identity. With SSI, all users have to do is scan a QR code with their smartphone to share the relevant, verified credentials stored in their digital wallet. This digital wallet can be on their phone or laptop, for example, as a browser plug-in. The wallet is secured by common authentication mechanisms such as FaceID or TouchID, which have proven to be very secure.

Trusted Authorities Can Issue Credentials

For SSI to work, individuals need a digital wallet containing credentials that have been issued by a trusted third party – such as their driver’s license, MBA certificate, or tax ID. An empty wallet is useless. Trusted authorities that hold this type of data can issue the relevant credentials, which is why it is so essential that these entities adopt SSI.

Among the many companies that can issue these credentials, German IT service provider was one of the first to embrace the concept. “Together with DATEV, we have demonstrated how self-sovereign identity enables seamless business processes across ecosystems. Transactions from all parties are digitally notarized and tied to their cryptographically verifiable credentials,” says Schaefer. With decentralized identity, master data of organizations becomes trustworthy, which can ensure that companies communicate with verified and trusted partners in the ecosystem.

Before we can all be issued with these credentials, however, SSI technology needs to be widely adopted. Shakeri is confident that mass adoption will come. “There is hardly an industry that would not benefit from SSI,” he says.

SSI as a Driver of Transparency on Sustainable Business

To enable apps to use SSI for business-to-business communication, 51·çÁ÷Innovation Center Network has developed a multi-tenant service built on (51·çÁ÷BTP) called Decentralized Identity Management. With this service, customers can issue and manage verifiable credentials – and verify the credentials themselves – creating the foundation for a decentralized business network where multiple parties can collaborate and share data.

Shakeri’s team is currently working on a use case for sharing ESG (environmental, social, and governance) certificates. “These certificates certify that a supplier operates sustainably, does not use child labor, does not exploit its suppliers, and so on,” he says.

At present, it can be time-consuming to achieve transparency in the supply chain, particularly in terms of how well individual suppliers focus on sustainability in their businesses. With SSI technology, it will be possible to check whether suppliers operate sustainably by requesting their ESG certificates from their digital wallet before deciding whether to work with them.

SSI could even make it possible to trace the origins of a product’s individual components across supply chain parties that work with different solutions – theoretically all the way back to the raw materials. While there is still work to be done to bring the full vision of SSI to life, customers can already benefit from the technology today in one of the many use cases that are likely to be significantly impacted by this technology. This can include supplier onboarding, master data management, and supply chain collaboration in the areas of sustainability and human rights.

Data privacy, risk management, and cybersecurity remain key priorities for businesses in 2023 to ensure continuous high performance and to catapult to new heights. In a recent , 43% of survey respondents said that they plan to upgrade IT and data security to reduce corporate risks. That includes security and data protection measures to keep their data safe. This becomes even more important when moving to and operating in a cloud enterprise resource planning (ERP) environment to drive continuous innovation. In the same CIO survey, 12% of the respondents said that they are planning to accelerate the move to the cloud as a service.

Adopt a Zero Trust Security Approach for the Cloud

To secure data and operations in a hybrid work environment, companies have been adopting a zero trust approach. defines zero trust as an “information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy, informed by continuous, contextual, risk-based verification across users and their associated devices.”

According to 2022 global survey data published by , 39% of companies have already begun to roll out a zero trust solution and 41% of companies have plans to adopt a zero trust strategy and are in the early phases of doing so.

My principle in life is to trust people and systems until I am provided a reason not to. The zero trust principle is the exact opposite of this.

The zero trust approach has three key principles: all entities and users are untrusted by default until authorized, the least privilege access is enforced, and extensive security monitoring is in place. In short, no connections to corporate networks and systems should be trusted at sight. All users, devices, and systems need to be authenticated, reverified, and continuously monitored when accessing networks, systems, and data.

Adopting this approach to cloud transformation has become the leading industry standard to keep operations and data safe across the entire virtual and physical network infrastructure.

Here are some best practices for putting an enterprise security plan in place that utilizes zero trust concepts to run operations safely and securely in the cloud.

Define Clear Security Roles and Responsibilities

First and foremost, ensuring security is always a shared responsibility between companies and their cloud transformation partners. It is a common goal and commitment that is independent of the type of cloud path companies take.

Like with any shared responsibility, the best way to approach it is by defining the roles and responsibilities up front. This process starts by asking these key questions: who is managing the cloud, how will everyone work together to secure the cloud, who is responsible for which part, and where are dependencies?

This will ensure that there is a clear strategy and plan to monitor and implement security policies and measures.

Keep an Eye on Users, Devices, Network, Applications, and Monitoring

Based on our experience at 51·çÁ÷Enterprise Cloud Services, another best practice is to focus the zero trust security approach on five pillars: users, devices, networks, applications, and monitoring.

Eighty-seven percent of organizations consider the application layer as being the front door for data breaches. Most data breaches through cyberattacks happen because users fail to keep their credentials safe or fall prey to false identities. In addition, the number of remote users with their own devices has significantly increased in enterprise networks as well as the number of cloud-based assets that are not located within an enterprise-owned network boundary.

By regulating and monitoring user access to devices, networks, and applications, companies can protect all their resources, including assets, services, workflows, and network accounts. For example, identity management systems can manage privileged user authentication and access at a very granular level. This includes keeping administrative accounts separate from corporate accounts and applying encryption to several layers in the IT environment. Data classification makes it possible to associate the security levels with specific types of data, regardless of where that data resides – in the cloud, at endpoints, or in owned data centers.

Scaling Security Needs Faster with the Cloud

While managing the complexity of security needs for cloud transformations can be daunting, here is an added merit: companies can scale their security needs much faster in the cloud, according to research. Benefits include better automation capabilities as well as higher storage and data capacity in the cloud. Companies can push infrastructure as code and fix a security problem in real time when operating in the cloud. Automation also helps in increasing the maturity of identity management and security management systems. recommends embracing cybersecurity as a differentiator to promote greater stakeholder trust and better use of cloud-native solutions that take advantage of the cloud’s full potential.

In other words, you can shine like a diamond on your cloud platform of choice with a zero trust security approach for the cloud.

For more information, visit the site and read this chief security officer for 51·çÁ÷Enterprise Cloud Services.

Peter Pluim is president of 51·çÁ÷Enterprise Cloud Services and 51·çÁ÷Sovereign Cloud Services.

It is well known that more diverse teams bring creativity and innovation, and diverse organizations are more likely to be profitable than their competitors. According to Gartner, diversity, equity, inclusion, and belonging (DEIB) has been ranked among the for HR Leaders in 2022.

But as we know, simply recognizing the importance and value of DEIB is not a solution – and making meaningful change is difficult. For strategic DEIB initiatives to succeed, organizations need data, and this is where many struggle. The data dilemma is two-fold: obtaining the right data about their people and being able to manage and interpret it properly. By rethinking when and how to ask for data, organizations can gain a clearer sense of who is in their workforce and how they can continuously improve their experiences surrounding DEIB.

DEIB data collection is a sensitive issue because employees may want to keep certain aspects of their identity private. The potential consequences of revealing one’s identity – particularly what may not be apparent to others, such as sexual orientation or religion – vary across time and place. Employees may face insensitive questions, microaggressions, outright prejudice, or even discrimination as a result. When employees anticipate these consequences, they feel less comfortable taking the risk of sharing their identity, and this lack of psychological safety leads to less self-reporting. The result is that leaders lack access to DEIB data to understand and improve the organization and, most importantly, the employee experiences of their people.

At 51·çÁ÷SuccessFactors, we talked to globally on the scarcity of personal data and our findings show the issues are structural. Employees do not understand why some personal data is being collected or how it’s being used. To avoid bias and discrimination, they refuse to share this personal information.

So, what are the structural issues and how can they be addressed?

Using employee onboarding as an example, think about the data often requested on day one: name, date of birth, address, bank details, gender, marital status, along with potentially detailed identity data.

This is a lot of personal information to give an organization that an employee does not yet know or trust. Asking them only in the initial stages of joining an organization makes little sense and ignores the fact that identities can change over time. Instead, organizations need to earn the trust of employees and be strategic about when and how often they ask employees for social identity data.

Transparency Is Key: How to Help Employees Feel Comfortable with Sharing Their Identities

Organizations should think of addressing the various aspects – like demographics – of an individual’s identity, timing the reporting process, and, most importantly, ensuring trust among the individuals that their data will be used constructively and privately.

Transparency here is key. Employees need to know who will have visibility into their personal data, to what extent, and for what purposes. They also need to understand how technology systems will use the data, which requires organizations to be clear about their strategies and policies on managing bias.

Maybe organizations want to identify and support underrepresented groups or improve employee experiences in targeted areas. Specificity is also key. These noble intentions must come to fruition with clearly communicated programs and results tracking to gain the trust of employees and make them feel confident that their details are in safe hands. The more information employees are willing to self-disclose, the more organizations will be able to improve and individualize their experiences in return.

To recap, changing when and how organizations ask for personal data can result in greater self-reporting.

• Start with the less sensitive data you already have, like date of birth, place of birth, and current location.
• Gain employee trust by clearly communicating the benefits of self-disclosure and where and how their data will be used.
• Collect data on a regular basis, particularly after , to better understand changes in identity.
• Communicate to employees how this data has informed the development and execution of the DEIB strategy.

The journey to address DEIB within an organization cannot be completed overnight. Intentionally and intelligently collecting and using data can help employees feel comfortable bringing their whole selves to work. On the other hand, by knowing their people better, organizations can explore ways to foster .

Amy Wilson is SVP of Products and Design at 51·çÁ÷SuccessFactors.

Record numbers of women have already left the workforce to take on familial and care duties during the pandemic and once the pandemic ends – . However, the proverbial crystal ball needn’t be right if HR leaders use this rare and unique opportunity to address employee well-being.

But how? There are several ways, all addressed in the SAPPHIRE NOW session “” presented by 51·çÁ÷SuccessFactors Chief Scientist Dr. Autumn Krauss. The eight meta-trends she explored in the session were derived from 267 individual trends identified and researched further by 51·çÁ÷psychologists. Those who acknowledge and address these trends sooner rather than later, Krauss explained, will enjoy stronger, more resilient and agile organizations where people thrive – and want to stay.

One meta-trend, “renewed emphasis on holistic well-being,” speaks to the issue directly. It’s now more critical than ever for HR leaders to identify and work with employees on specific physical, mental, financial, and social well-being stressors in a holistic manner and across the entire employee life cycle.

The other seven meta-trends, however, ladder into the importance of providing a safe, inclusive place to work, where people believe they can learn and grow.

Here are the other seven meta-trends and a quick look at how they connect to – and magnify – the importance and value of investing in employee well-being.

1. Rise of the Hybrid Workforce

We learned that hybrid work is both possible and profitable. But moving forward, organizations must create a playbook to ensure that a cultural rift doesn’t widen between corporate workers, who generally have flexibility to work remotely, and field workers, who do not. In a two-tier work culture, employee well-being will prove inconsistent.

2. Employees Owning Their Learning and Mobility

Learning and development initiatives aren’t just key to agility – they’re key to retention. People want to stay where they feel valued, as signified by the organization’s investment in their career development. Along with creating a culture of learning, technology will be essential in delivering a more positive learning experience so people can take ownership of their future.

3. The Purpose-Driven Organization

Now more than ever, companies are needing to walk the talk and prioritize issues of social justice, even working them into their strategies. When companies invest in advancing diversity, equity, and inclusion (DEI) and sustainability efforts into business strategy, people will see and feel results that motivate them.

4. HR in the Spotlight

HR earned considerable political capital since the start of the pandemic when it helped the C-suite formulate a COVID-19 response and also helped people navigate it. Now’s the time to spend that capital on using evidence-based decision-making and a sound talent strategy to work in lockstep with the wave of workforce and initiatives on the horizon.

5. Balancing Data Intelligence with Data Privacy

For the foreseeable future, digital technology will be leveraged to improve the employee experience – but data tracking and privacy will become more important topics as a result. No amount of digital transformation to improve the employee experience will matter if HR can’t simultaneously address people’s concerns about their privacy.

6. Individualizing the Employee Experience

Just as the Starbucks app knows how you like your latte and can predict what else you may like, HR technology needs to provide the same level of personal, individualized experience. The more people feel that they’re getting a consumer-grade experience at work, one that taps into their hopes and ambitions and addresses their pain points, the happier and more motivated they’ll feel. But organizations can’t just collect data, they need to act on it appropriately to curate impactful experiences.

7. Agility: From Buzzword to Business Imperative

Among other things, COVID-19 taught many companies that they’re too slow to react to disruption. By addressing their people practices, however, and building resilience and agility on the individual level through enhancing employee well-being, organizations will be able to break up traditional hierarchical structures. This will allow them to understand the workforce’s change readiness, change capacity, and resilience – and better anticipate, endure, and even capitalize on future disruptions.

All these meta-trends speak to a simple, straightforward ideal: the more organizations directly address the various facets of well-being, and do so on a personal, individual level, the more likely it is that engaged, motivated people will stay and give their best. Nail well-being and the business will be much healthier, too.

To learn more, check out or replay .

Lauren Bidwell, Ph.D., is a senior research scientist at 51·çÁ÷SuccessFactors.

AI’s Role in Secure Data Anonymization

The simple truth about AI is that, when used responsibly, it doesn’t have to force a costly bargain between personalization and privacy. General Data Protection Regulation (GDPR) protects personal data in many regions, confining its use to specifically consented purposes. In other countries, organizations protect customer data to foster trust aligned with corporate and societal ethics. In the meantime, companies continue amassing an explosion of data that can help them get closer to customer needs, head off problems, and develop future innovations. AI models that scrub all this valuable data of personal identifiers are the answer.

“Instead of using someone’s personal data, companies can train AI models to anonymize the information and create what’s called differential privacy datasets,” said Francesco DiCerbo, research lead for AI Privacy at . “We can add random noise to the details about single individuals while preserving the overall statistical properties of the population. Think of it as seeing the silhouette of a person you can’t identify.”

DiCerbo’s team uses AI-based tools in personal data protection solutions and conducts research on advanced anonymization techniques. He added that anonymized data offers another layer of protection for individuals and organizations in case of security breaches.

Natural Language Processing for Data Privacy

AI can be fantastically helpful in anonymizing data because of its relative simplicity. One of the tools DiCerbo’s team is using relies on natural language processing (NLP) to identify and anonymize personal data from text such as customer orders, invoices, and e-mails. The tool discerns the meaning of words and numbers in semantic context such as names, locations, or organizations.

Grammatically, NLP can identify which words in a sentence are verbs or whether a number is an expiration date, someone’s birthday, or a social security number. Once it determines which words consist of sensitive personal data, that information is labeled accordingly. Those words or numbers might be geofenced to comply with country-specific regulations or restricted to designated personnel for specific uses only.

AI Fuels Company-Wide Business Advantages

predicted that by next year, at least 65% of Global 2000 companies will use AI tools such as NLP across the business to enable 60% of use cases in areas including customer experience, security, facilities, and .

AI-driven data anonymization offers just about every industry tremendous advantages. Consider healthcare clinicians who regularly supply insurance companies with valuable data about patient diagnoses, treatments, and outcomes. AI can anonymize deeply personal patient information while still extracting insights. Insurance companies can use this scrubbed data to better classify and predict a range of payment standards based on generic, yet accurate, parameters.

Retailers could use AI to better understand and improve the from anonymized feedback in social media, product reviews, or e-mails.

“You can train AI models to capture customer complaints about a product or service, sifting out identifying personal data while bringing the rest of the anonymized feedback into a new dataset,” said DiCerbo. “Analyzing this data, retailers can spot trends like lost shipments or defective merchandise, sending reports to appropriate departments. Teams can take steps to prevent problems, lowering costs and increasing customer satisfaction.”

Similar to customer data, organizations could use anonymized information to boost the . An AI model could be trained to determine employee stress levels based on certain keywords and other elements in HR tickets. To protect employee privacy, the tool would distinguish and separate any personal identifiers. The company could use the findings to not only prioritize HR ticket processing for speedier resolution near term, but also address unexpected employee stressors, such as a global pandemic.

Like any technology, AI is neither inherently good nor evil. Dystopian conversations about using AI to identify individuals for controlling or other nefarious purposes certainly capture audience attention. But what if we also gave equal time to explore doing just the opposite with AI, using it to not identify individuals? With the right intentions and scrupulous techniques, we can make AI a force for the larger good of business and society.

Follow me: @smgaler
.

Times have changed, and with them, so has the approach to data privacy. New regulations pivot on the notion that data belongs to individuals, not the enterprises that collect it. Instead of just masking or hiding the data, companies need to provide fundamental data accountability to their employees and customers.

But how can enterprises be accountable for data when they don’t know what they have, where it is, who it belongs to, where it’s been, or where it’s going? To meet today’s mandates and user expectations, companies need to completely rethink data protection.

Personal Information, Defined

Data privacy is a game changer. Until recently, though, it was very low on the list of enterprise priorities – even for chief information security officers, CIOs, and board members.

The breach regulations that were introduced over a decade ago were based on the idea of protecting personally identifiable information (PII). PII is defined as highly identifiable information and data that can be uniquely correlated with an individual, such as a Social Security number or a credit card number.

Data privacy is different. It requires companies to take responsibility for the collection of data that belongs to an individual – a concept known as personal information (PI).

The trouble is that PI is not necessarily highly identifiable. Here’s an example: a birthdate is one date in the 365-day calendar. That’s not highly identifiable. A GPS location is a point on the globe. Again, not highly identifiable. An eight-digit string of numbers could refer to many things.

But when these bits of data are in a different context, they can be highly personal and thus qualify as PI. If the birthdate is mine, or the GPS location was collected as part of my mobile session, or if the string of digits is my password to an application, it’s all highly personal and highly confidential. When data such as an IP address, cookie, session key, date, gender, birthdate, password, or location is about me, that is PI.

Preliminary Data Identification Processes

New privacy regulations require companies to find and protect PI. The European Union’s General Data Protection Regulation (GDPR), implemented in May 2018, and the California Consumer Privacy Act (CCPA), which came into effect January 1, 2020, are two high-profile examples of PI legislation. More than 20 other U.S. states have privacy-related draft bills and there is talk of a federal law.

With this legislative push, companies can no longer ignore the need to protect data privacy. Decision-makers need to get acquainted with the implications of these laws and identify compliance gaps.

Most organizations begin by revising their data identification and classification processes. They look for ways to find and identify data manually, because that seems like the simplest approach. Then they implement policies to reduce the scope of things that fall under their responsibility. The majority of companies are still at this point in the data privacy process.

Before long, however, organizations realize that the ROI is so unattractive and the accuracy of these processes is so poor that they need to replace manual efforts with automated approaches.

The only way to identify PI is to use context to determine whether data is personal. That requires a completely new way to examine and assess data. That’s where innovative new technologies come in.

Context-Sensitive Technologies

New purpose-built PI technologies address these privacy-centric data discovery and data intelligence use cases. The solutions bring data science, machine learning, and advanced data insight to the challenges of data privacy, helping enterprises safeguard and steward data by finding it and learning its context. The solutions also help companies track and govern their customer data at scale, which is important when dealing with huge and growing volumes of data.

New enterprise data intelligence technologies work with different IT systems, applications, and products – on-premise or in the cloud – to discover PI. Using context, it automatically finds hidden information and relation- ships among data to identify PI and inventory it by data subject and residency. Advanced solutions use dozens of parameters to score the data and then build a map of the data and its flows, which is especially important for tracking ephemeral data assets.

This data privacy technology is basically the IT version of accounting standards like GAAP. Before GAAP, there was no standardized way of tracking deposits and withdrawals in financial institutions. The introduction of standards helped banks identify funds and report information in a standard way – allowing any analyst or observer to understand the health of the business.

With data, organizations traditionally collected information from individuals, but what happened to it afterwards was unclear. With no GAAP-like standards, it was up to the enterprise to determine how or whether the data was protected, tracked, or reported.

Now people say that “Data is the new oil,” or “Data is the new currency of the digital enterprise.” New data privacy regulations recognize data’s increasing importance. But they also demand that organizations reconsider data and how they protect it.

To be compliant, companies must know where they got their data, who can access that data, and whose data they have. They need insight into where they stored the data and who they shared it with. And if they are sharing data, enterprises need to know why they are sharing it and whether they have the permission of the data owners to do so. The answers to these questions not only help companies meet these compliance requirements but also get a handle on their most important assets.

Opportunity for New Business Value

The way enterprises understand, process, and protect their data influences the type of consent management functionality they offer users. Until recently, gaining user consent was a matter of asking users – repeatedly – to agree to allow their data to be collected and used. These repetitive pop-ups and interruptions can be overwhelming for users.

Fortunately, regulations like CCPA make it easier for users to opt out of data collection by inverting the power dynamic. Instead of a long series of radio buttons requesting unlimited rights to data, new consent management features allow individuals to quickly and easily refuse to allow organizations to resell or reuse their data. The responsibility then falls to each enterprise to ensure there is no violation of the user’s opt-out request.

Yet meeting this challenge requires companies to gain more granular insight than has been available previously. Enterprises need to know where all of a person’s data is throughout the data lifecycle – whether it resides in files, data warehouses, data lakes, business solutions, mail applications, or messaging apps, to name just a few possibilities. Then they need to be able to disambiguate the information, knowing when an eight-digit numeric string is just a sequence of numbers and when it is a password. Also important is the ability to find contextual PI and connect it to an individual, which requires understanding of data both at a single point in time and as it evolves over time.

All of this information is critical to meeting new PI compliance requirements. More importantly, it can help companies get more value from their data assets. With the proper context, organizations can know where customer data is – across multiple countries, languages, and businesses. Essentially, they’ll have a much richer understanding of the crown jewels of the organization.

With that understanding, not only is there an opportunity to do better – in terms of revenue and profitability – but enterprises can more effectively protect their assets. Context-enabled insight allows companies to reduce data duplicates and rationalize the infrastructure needed to support the data. It also helps identify the right time to consolidate servers or migrate data to the cloud.

What’s more, a complete inventory of the data can help companies identify potential vulnerabilities, areas of exposure, and potential for non-compliance. They can also better safeguard data, get more value from it, and reduce overall costs. And that’s value that today’s businesses cannot resist.

About Horizons by SAP

Horizons by 51·çÁ÷is a future-focused journal where forward thinkers in the global tech ecosystem share perspectives on how technologies and business trends will impact 51·çÁ÷customers in the future. The 2020 issue of Horizons by 51·çÁ÷focuses on Context-Aware IT, with contributors from SAP, Microsoft, Verizon, Mozilla, and more. To learn and read more, visit .

Read more 51·çÁ÷by Horizons stories on the 51·çÁ÷News Center.

Dimitri Sirota is CEO of BigID.

Modern supply chains are ground zero for what many industry experts call the phase level of “hyperconnectivity.” We love getting the goods we want as quickly and inexpensively as possible, but it takes an awful lot of data sharing between totally separate companies to make it work. Organizations across the value chain – from farms and factories to shippers, wholesalers, and retailers – are engaged in a daily balancing act between sharing information and having control over it.

Collaboration Trends Reveal Benefits and Challenges

Hyperconnectivity figured into numerous industry analyst predictions this year. By 2024, saw 45 percent of consumer-facing businesses providing a fully seamless connectedness – with good reason. These analysts said that by 2025 “fully connected enterprises will realize at least twice the return on investment through gains in revenue customer retention, infrastructure longevity, and process and cost efficiencies.”

researchers found that enterprise data strategy continued to be a top initiative for executives, because “it’s critical in unlocking a firm’s digital transformation — and necessary to take advantage of AI and machine learning.” They predict advanced companies will double their data strategy budgets.

At the same time, Gartner analysts listed “transparency and traceability” in the firm’s “.” They said highly connected systems in smart spaces will increase opportunities for business transformation but also create new challenges in security and risk.

Encryption Could Balance Privacy Versus Value Equation

In this interview at the , Axel Schroepfer from the shared an example of how companies could use homomorphic encryption to share information with partners across a hyperconnected supply chain without compromising data control.

“Suppose you’re a tire manufacturer and a buyer needed 400,000 tires,” explained Schroepfer. “You could use a cloud-based service that calculated the best tire delivery lot size for cost-efficiency and planning for both parties. The beauty of homomorphic encryption is that the original data is never revealed – even within the service itself. This formula-based approach could help companies solve the conundrum of how to gain value from business-critical data without sharing private information between buyers and suppliers.”

A Formula for Collaborative Success

Homomorphic encryption is emblematic of the kind of innovation certain to emerge as hyperconnected business matures. In Schroepfer’s example, the service would use a mathematical formula on top of encrypted data to calculate results without ever seeing the actual data. He saw potential opportunities for this kind of encryption in other areas such as pool buying, where groups of companies collaborate for better prices without sharing internal data. It could also help prevent business fraud.

In a hyperconnected supply chain, partnerships are going broader and deeper, often forging new relationships and sparking business model disruption. While consumer fears and demands about personalization versus data privacy tend to dominate conversations, businesses will grapple with an equally daunting challenge: how to balance an information exchange between buyers and sellers while protecting security and control. The timely delivery of your package depends on it.

Follow me @smgaler