In this article, which is a 7-minute read, I will: explain why I am in data privacy, share some practical tips on how I recommend to manage privacy in a complex environment, and give an outlook on the legal topics which we will cover at our upcoming ODSC talk, “GDPR in Action: Does it Work?“
[Related Article: Why The New Era of Big Data Requires Innovative Privacy Initiatives]
My personal motivation
When I gave a town hall speech in October last year, one of my close colleagues (who is known for his out-of-the-box thinking) asked me during the Q&A session:
Volker, why all this hassle on data privacy? My personal data is fine, I have nothing to hide. Why bother?
I was too quick in my answer. Which means it was standard and textbook-like: I was telling him that we have to act compliantly, that our company may face fines up to 9-digits high, unless we act properly (https://www.enforcementtracker.com/).
Driving home that day, I was disappointed with my lukewarm response. It was not personal and it was not at the heart of data privacy. On the next occasion, my answer will go like this:
Imagine for a moment a world without data privacy.
You work in tech, you have a great job, and you have a promising outlook on an exciting career in data science. Besides this, you feel very comfortable in using online tools like social media, search engines, and internet book stores. You use them heavily.
One day, however, you find yourself out of your job: your position got outsourced to a country 10,000 miles away and you do not want to move. Looking forward, you welcome this cue to explore a position in a new company, in order to take the next step in your career.
Thus, you apply for this promising position you found online and you wait. You wait for one week, you wait for another week. After not hearing anything from the contact mentioned in the job offer for more than a month, you are worried and manage to call this person directly.
First, she is apologizing for the missing response. Something went wrong, but she tells you on this occasion in person that they, unfortunately, are not going to invite you for an interview. Application declined.
After taking a deep breath, you kindly ask for the reason. The lady answers that normally they do not give such feedback but in this case, she is willing to make an exception: She explains to you that there was an issue in the data that they own on you and which they evaluated according to good HR practice.
When you ask what is wrong with your data, she finally tells you that in the light of their analysis you have a strong interest in depression. Consequently, their HR algorithm advised her not to consider you as a candidate because of the strong correlation between you and this disease.
Your jaw is dropping and your final comment in this sad call is that your interest was rooted in helping your best friend whose life is being ruined by depression.
This story is obviously fictional. But many, many of our users have real data privacy concerns. As a fact, questions about our company’s data protection efforts have been ranked in the top 10 during our exhibition at the 2019 Agritechnika, which is the largest agronomical fair in the world.
I entered data privacy in 2018 when GDPR became effective in the European Union. Before this new legislation, data privacy management had a very bad reputation. It looked boring, a “must-have” with low impact, producing merely documents very few people had a real interest in.
This has changed.
As the fines are rising and rising and the technical complexity around data privacy is constantly growing (e.g. on handling cookies or trackers in a compliant manner), data protection has become a demanding and impactful part of my job.
Some management recommendations
Because of the complexity described above, let me share with you some concrete hints on how to get the job done in a big organization. Our own department is run by about 100 employees spread out in 6 countries. We are part of the BASF group, which is the largest chemical company in the world with more than 100,000 employees. We at Digital Farming provide AI-based services to more than 1 million users globally.
1. If you start from scratch with data privacy, consider organizing your tasks as a project.
After some initial 2-day training on GDPR, it helped me define and agree on objectives with my line manager and develop a clear path to reach them. What kind of resources (like legal) would I need? What are the concrete deliverables and what are our most urgent concerns?
2. Identify your internal stakeholders
It helps to embrace the product owners first. Get in touch with them as early as possible, as it reduces your risks significantly. E.g. data processing agreements with 3rd party processors may turn out to be a show-stopper or they might turn out to be simple paperwork. Above this, identify who are you reporting to in your upper management when it comes to data privacy. Report regularly and proactively.
3. Train your environment.
After feeling comfortable with the legal requirements yourself, your stakeholders will probably be grateful, if you can train them on the basics during your regular meetings. On top of this, offering town hall meetings spreads knowledge to a broader audience and makes you visible as the enabler of GDPR in your company.
4. Do you really need to process private data for the project in front of you?
Obviously, the anonymization of data makes life easy for you. Before doing this, make sure that the data is actually to be considered as private according to GDPR, if there is a reason for doubt.
Outlook on legal topics covered in our talk
In this part of the talk, Reinhold will explain, how GDPR really works in your AI environment.
What GDPR is all about and how from the legal requirements you can ensure your compliance smoothly.
You will discover that GDPR is not forbidding the collection and processing of any—even very sensitive—private data. Its intention is to guarantee only the transparency of such processing.
He will explain the system of how the fines are calculated and what rights of the data subject you must watch.
Also, we will finish with a current outlook on GDPR 2.0, current new projects from the EU-commission on regulating the AI market and how to use distributed AI techniques like federated learning in a GDPR-compliant manner.
[Related Article: Being Open in the Era of Privacy]
In a nutshell, attorney Reinhold Beckmann and I will explain in detail at ODSC the requirements and consequences of GDPR (General Data Protection Regulation) for your company.
Volker is an expert in Artificial Intelligence and Software Quality Assurance. After studying physics at the University of Bonn, Volker finished a PhD at the Research Centre Juelich, Germany. He has been working for more than 13 years in international life science companies, fulfilling several IT roles. Currently, his focus is on the implementation of AI-based computer vision algorithms for farmers on a global scale. Since 2018, he is moreover Data Privacy Coordinator at BASF Digital Farming GmbH.
Reinhold Beckmann is a lawyer from Germany specialized in Internet-law and international IT-law. His main subject is to consult companies, e.g. BASF Digital Farming in Germany to ensure their GDPR compliance under the new European Data Privacy regulations. This includes the international aspects of Personal Data security. Reinhold is also teaching and a speaker on these topics at international conferences. After finishing his law-studies in Muenster, Germany Reinhold worked for more than 20 years in the Enterprise Software industry, mainly for North American Software vendors leading their European Organizations.