GDPR Compliance with Commercial Data Separation
Overview
Rivello worked with a client to help them take a proactive approach to openly embracing data privacy within their commercial CRM AI business.
Our clients’ business works by identifying missed revenue opportunities from commercial business development networks. However, their AI models rely on access to sensitive personal networks in order to add value. Unless they can persuade their clients, and more importantly the employees of their clients, that their personal information will be safely managed then they have no business model.
Rivello solved this challenge. Giving our client a through-life solution to managing sensitive personal information with bulletproof compliance evidence to satisfy even the most sceptical employee.
Case Study Details
The Challenge
Our client faced a challenge that many businesses are facing; more of the data they rely upon to execute their business processes is becoming marked as sensitive personal information, and international regulators are raising the standards expected on businesses with regard to the handling of sensitive personal information, with the requisite threat of fines and increased scrutiny for those businesses unable to evidence their compliance to these regulations.
The additional factor that pushed our client into seeking help was their use proposed use of artificial intelligence models within their evolving business model. They realised that while the AI models offered them a great business differentiation, they also required access to more sensitive personal data in order to function effectively, and with the added complexity that the outputs from the models would be a mix of personal and commercial data sets.
The challenge was to ensure that the business could evidence compliance with all requisite regulations around their handling of personal information, and do this in such a way that users would be satisfied enough to trust the company with their sensitive personal information, and that commercial business outcomes can be separated from sensitive personal data in the event that, say, an employee leaves a company and requires their personal information to be deleted from any models.
The challenge presented five key characteristics that needed to be solved,
Consent – Valuable data is becoming better protected as individuals and businesses are more aware of value / threats
Tracking – Where is the source of the data and what happens to the data over time as it goes through new workflows?
Derived Value – Ownership, control, and separation of data derived from multiple sources
Right to be Forgotten – The need to be able to provably delete data, while retaining derived value
Evidence - The cost of failure to show compliance is high, both regulatory fines and reputation damage, evidence of compliance is crucial
The Solution
The Rivello team designed and architected a backend solution for the client that enables them to ensure that all data is under active data privacy management from the moment the company has access to the data. This includes an approach to separating new, derived commercial data from the source data, and an auditable approach to data deletion to satisfy regulators and data owners.
The approach to designing this solution came about through a series of workshops with the client team that concentrated on the jobs to be done and the hurdles that the client team needed to overcome in order to sell their solution.
Data managed by this solution,
Sensitive Personal Data
Sensitive Company Data
Derived Commercial Networks (with no PII data)
Proprietary AI Models
Reports, Proofs, and Evidence
The solution uses Rivello Beacon to provide tamper-evident proofs, and Rivello Ledger Services for the separation of the sensitive data flows into independent data stores. As well as providing this solution, the Rivello team are working in partnership with the client team to provide solution architecture guidance to their in-house development team.
The Results
When the engagement began, the challenge was to run a data consultation process to help ensure that our client’s innovative business model was compliant with GDPR requirements.
Midway through the engagement, it felt like we were jointly breaking new ground around how to apply GDPR to AI.
By the end of the process, we realised that while the journey had been full of learning, what we had implemented was an augmentation to their existing IT solution. This is normal IT, but re-prioritised to ensure privacy and build trust in an AI-enabled business.
Outcomes
Granular Compliance - Every sensitive piece of data is recorded. Every action on the data is recorded. New insights created from data are recorded. All records can be independently verified.
Business Development - The clients business only succeeds if users are sure that their sensitive commercial networks will be appropriately looked after. Showing this approach builds that trust.
It’s just an IT Solution... - For all the additional records created and evidence established, the solution augments the existing IT solution without creating new costs or support complexity.