Table of Contents
videoDuration
Do not index
Do not index
Thumbnail
Category
Ofofo Studio
video
In this insightful episode, Angad Gill from Ofofo, engages in a profound conversation with Abilash Soundararajan, CEO of PrivaSapien, a leader in the field of data privacy.
Throughout the dialogue, they delve into intricate aspects of data privacy and the role of PrivaSapien in the data ecosystem. Abilash sheds light on how PrivaSapien is innovating and implementing measures to enhance privacy, including strategies like output privacy and the introduction of a grievance board.
Abilash also shares some interesting insights and predictions about the future of the data industry. The discussion further extends to the challenges faced by organizations in managing privacy and how PrivaSapien can aid in overcoming them.
The conversation ends with Abilash explaining how individuals and organizations can get in touch with PrivaSapien for their data privacy needs, primarily through LinkedIn.
Don't miss out on this enlightening conversation! Tune in and stay informed about the ever-evolving world of data privacy.
Angad Gill: Welcome to Ofofo Studio. Today, I am joined by Abhilash Soundarajan, CEO of PrivaSapien, a privacy deeptech company. Abhilash, it's a pleasure to have you here with us today. Can you start by telling us what kind of problems PrivaSapien solves?
Abhilash Soundarajan: Thank you for having me here. At PrivaSapien, we are a privacy engineering company focused on data security technologies and privacy preservation. While similar, these two concepts are distinct. Our vision is that organizations must prioritize privacy preservation before handling data. If they wish to process data beyond consent, they must ensure that the data will not result in privacy violations for individuals. This is especially critical when analyzing or transferring data across borders, or when using data for automated decision-making. It is essential that sensitive information about individuals is not leaked to third parties.
Solving these privacy issues requires a different suite of technologies, known as privacy engineering or privacy enhancing technologies. At PrivaSapien, we develop these technologies to help enterprises unlock the value of their data without violating individuals' privacy.
Angad Gill: Which industries do you get most of the requests from? Which industries face the problems that you are out there to solve?
Abhilash Soundararajan: Yeah, that's a good question. We typically use a management 2x2 matrix where the X-axis represents the sensitivity of the data and the Y-axis represents the volume of data. Those in the top right quadrant require significant privacy enhancement technologies. Businesses dealing with sensitive data like healthcare and finance, as well as e-commerce and automobile companies, particularly those engaging in cross-border transfer of data, require such technologies. These businesses may face extensive penalties if they fail to comply with regulatory requirements. For example, a GCC company operating in multiple countries must meet regulatory requirements for sudden cross-border data transfers. If the company has a significant presence of data analysts in India and cannot transfer data from Europe to India, their whole business model may be threatened. These companies are undergoing disruption due to privacy regulations and cross-border data transfer restrictions. Those who transfer large volumes of sensitive data are the primary clients seeking our services.
Angad Gill: Ofofo is a cybersecurity marketplace. Whenever cybersecurity and privacy are discussed, the lines tend to be kind of blurred. Can you break down some key differences between the two for a layperson to understand?
Abhilash Soundararajan: This is a very important question, and we have spoken to many CISOs about it. However, as you mentioned, this is a gray area, and we are working on building awareness about privacy. One of the primary differences is that it's our responsibility to ensure that we can explain it to a 5-year-old girl or a grandmother. That's the basic test. For example, if I have your daughter's photo, and I put the photo inside an envelope and say that only the right person can open the envelope and look at the picture, that is security, which involves authentication, authorization, and access control. These are all part of the security components, including the CIA triad of Confidentiality, Integrity, and Availability. However, privacy is what happens after someone opens the envelope and looks at the picture. Once someone has access to data, what are the things that they can and cannot do with it?
Security does not go back to the DNA level of the data; it gets encrypted, and after it gets decrypted, you can use the data for any purpose you want, and security does not have any control over it. It's like the outer security layer preventing unauthorized parties or external entities. But privacy is more about an authorized entity who is using the data for one purpose but using it for a purpose beyond that concept. The social media platform is an example of this, where someone is using your data to run political campaigns without consent. One fundamental problem is the case of Cambridge Analytica.
For example, someone is giving a picture for designing an attire, but the picture of the model is abused for something else, which the model did not consent to. How do you solve this? It's a very difficult problem that has to be solved at the data's DNA level rather than encrypting the data outside the encryption, decryption, and access control. So the foundational problem is how to ensure that the data cannot be used for a purpose beyond that or only for that purpose. There is a spectrum of technologies that are coming for this, called Privacy Enhancing Technologies. These can be either output privacy or input privacy. There's a spectrum of technologies. Output privacy can be anonymization, differential privacy, and others. Input privacy can be zero knowledge pool for multiparty computing, homomorphic encryption, and others. These are very different from security technologies and all your reality obligations, such as GDPR or CPRA. They are India's DPDP, whatever is coming across the globe. If you are a data collector, you are a data fiduciary. Your responsibility is to ensure that the data is not abused and it's not used beyond consent. That's why you need to look at these technologies.
Angad Gill: So, Abhilash, you mentioned that there is a general lack of awareness when it comes to privacy in the general populace. What do you think can be done to increase awareness among people, among the masses?
Abhilash Soundararajan: Okay, that's a very interesting and important question. We are also trying to solve this problem. One example of this is the growing natural awareness of privacy in the ecosystem. Many companies are now prioritizing privacy as a key attribute of their products. Digital trust has become a premium value proposition. Take Apple, for instance. They are solving this problem for us. If you look at any Apple product, you'll notice that privacy is a key selling point. Even before the launch date, Apple's ads at the airport focus on privacy. This is because, in today's market, a Chinese company can easily create a product with better specs and the same design. Therefore, the value proposition must be in software. Apple's solution is to ensure that they take care of their customers' privacy.
For example, your location data will not be shared. Any application requesting access to your location data or cookie information has to be approved by you. You have granular control over who has access to what, and they will filter it out before it goes to the application. After this feature was launched, Facebook's valuation went down significantly, especially after the location tracking feature.
On the other hand, if we look at regulations, Google was penalized $400 million in the US for using location information without consent. Meta was penalized with the largest penalty just a month ago, which was $1.3 billion in Europe for privacy violations. Now, every country is coming up with its own data regulations and is imposing a percentage penalty rate, with the G20 imposing a 4% penalty, which is equivalent to 80% of the company's global annual revenue. This is the scale of the issue we are dealing with. Naturally, there is an awareness at the corporate level, and it is a broad obligation to comply with these regulations.
Earlier, India considered this a criminal violation. If there was a violation, the DPO could be jailed. So those who have DPO may need to hire a highly-paid lawyer, and the stakes would be high. They should be ready to go to jail anytime. That's how it was. But now the penal clause has been removed, and the ecosystem is a bit more relaxed. The challenge now is that while businesses are aware, there are still first movers who are entering this phase. We want to do it the right way and implement privacy by design in the data ecosystem.
Any technology adoption follows a lifecycle where there are innovators, early adopters, early majority, late majority, and laggards. The same applies to privacy by design because traditional privacy is more of a checklist. You check off the boxes, and you're done. That's not enough. You want to do it right.
However, this approach is not acceptable to the masses. Especially when it comes to building premium products, such as cars. In case of mobile phones, if you feel that your privacy is being violated, you will get rid of the product and replace it with a new one. Imagine buying a car or an apartment, only to discover that it is spying on you. This is unacceptable, and it reduces the value of the product by 50% the moment it is purchased. Even luxury products, such as fully automated homes, need to protect the privacy of their users. Smart assistants are a prime example of products that can spy on you all day, making users hesitant to even touch them.
This awareness is growing naturally from a product perspective, as well as from the digitally aware community. Although the Indian market is not as mature as the Western market in terms of privacy, there is still significant awareness about privacy among people. We are doing our best to communicate this message to the masses through social media, talks, events, and other means. However, there is still much to be done.
Angad Gill: What can cybersecurity professionals do to champion privacy?
Abhilash Soundarajan:Data protection, cybersecurity, and privacy are closely interconnected areas. In the larger gamut of data protection ecosystems, privacy and cybersecurity are like conjoined twins. Therefore, privacy professionals are the closest to cybersecurity. For instance, CISOs are the closest to becoming DPOs in many organizations that view privacy from a security standpoint. Today, having a DPO is a mandatory obligation as per regulation, whether it's GDPR or India's DPDP. Unlike cybersecurity, which doesn't mandate the need for a CISO, regulation mandates that you need a DPO. The DPO must report to the highest possible level in the organization.
Okay, so basically, the DPO is a very senior person who reports to the CEO or to the board, and he is not obligated to anybody within the organization, but he is obligated to the citizens or the data subjects whose data the organization is collecting. That's his reporting hierarchy. The DPO of an organization has to directly report to the DPA (Data Protection Authority) in the ecosystem. The government sets up a data protection authority, similar to Europe. When a data subject, who is a customer, asks where their data is stored, what is the purpose for which their data is being used, how their data is being analyzed, whether their data can be moved to a different database or vendor, and whether their data can be deleted, these rights are called data subject rights, and all users have them. Organizations need to set up a grievance board to receive these requests from users, and the DPO has to act on it. This is more like an RTI (Right to Information) for businesses, and they have to respond within a specific period of time. In case of a data breach, it must be notified and made public to the DPA. If the DPA feels that there is enough information for it to go public, then it can be made public, and this can significantly bring down the reputation of an organization. This can be seen as an impact of a CISO or a DPO not taking care of the data flows within the organization.
This is a foundational step and a natural growth path for a CISO or any security professional. Reporting directly to the board is an actual growth path, and privacy is more connected to the customer than before. Earlier, a CISO might not face customers as such, and they would update the board and present their dashboard. However, with a DPO role, you are directly responsible to the users, face to face. You are also responsible to the government entity, and the penalties are huge - up to 4% in India for every instance of data breach. The penalty can go up to 500 crores for an organization for every instance of data breach, which is very significant. Hence, the bar is already set, and the requirement is already established. Organizations that wake up earlier to this have a significant advantage, both at an organizational and individual level. There is a lot to gain and grow, and an accelerated growth opportunity within an enterprise at this point. These are the benefits that individuals and organizations have in the ecosystem, and that's what we are trying to communicate. It makes sense.
Angad Gill:What specific actions can security professionals take to increase awareness about privacy and solve the problems faced in this area?
Abhilash Soundararajan:As a cybersecurity professional, CISOs are increasingly responsible for data protection in organizations. They must first understand the regulatory obligations that come with data protection requirements. This includes data subject rights such as the right to information, access, modification, forgetfulness, and data portability. CISOs must ensure that applications and data flows comply with these requirements.
This additional responsibility is similar to security in terms of allowing flows in a data ecosystem. In security, firewalls and minimal required security requirements for applications or APIs are used in a zero-trust architecture. Similarly, CISOs must ensure that applications and data flows comply with the new requirements in the privacy space.
What are the risks associated with allowing data to flow to downstream parties, whether internal or external, in a data ecosystem? What kinds of risks are deemed acceptable, and what kinds are not? Conducting a data protection impact assessment is crucial in answering these questions. Although a Chief Information Security Officer (CISO) may be more familiar with risk analysis from a security standpoint, the constructs and frameworks for conducting a privacy impact assessment are similar. It is important for a CISO to understand this new perspective from a privacy angle, as it is a regulatory obligation rather than an industry-specific regulation. For example, the Reserve Bank of India (RBI) may have specific requirements for a CISO. However, this is a nationwide obligation that stems from the Data Protection Bill. This obligation is horizontal, meaning that CISOs can learn from other industries or countries and apply those practices within their organization. The frameworks that they are accustomed to, such as ISO 27,001 for security or 27,000 701 for privacy, can be very similar in terms of systems, processes, and frameworks.
Angad Gill: Alright, let's switch gears and talk about some of the patents that you guys hold. What is PrivaSapien's intellectual property?
Abhilash Soundarajan: Okay, so privacy engineering is like a gold mine, right? It's a completely new and unique area, so many of the things you do are very innovative. It's similar to cybersecurity, where you have VAPT (Vulnerability Assessment and Penetration Testing), but what is the privacy equivalent of VAPT? Well, we have something called Privacy Xray, where we perform privacy threat modeling and privacy attack simulation on data. This helps with accelerated data protection impact assessment, which is important for a DPO who must decide whether to allow specific data to be used or not.
For instance, let's say your marketing team requests CRM data. This data may or may not contain Personally Identifiable Information (PII), quasi-identifier statistical data, or re-identifiable information. Without consent, should the DPO allow this flow of data to the marketing team? It's a big question, and it's difficult to answer manually because the data may have up to 300 columns, and sensitive information could be hidden in multiple rows. However, this is how the industry is currently making decisions.
Unfortunately, we are still in the Stone Age of privacy. To address this issue, we have developed a tool called Privacy Xray. This tool automates privacy attack simulation and privacy threat modeling, providing a single privacy risk score. Based on this score, you can define policies to manage the risk. For example, if the score is between 80 to 100, you can define a set of policies that are more stringent, while a score between 50 to 80 may require different policies. A score between 0 to 20 may require more lenient policies, since the risk is lower.
We have filed around 16 patents, including one for differentially private generalization, which utilizes anonymization techniques to prevent re-identification of individuals. We have also launched a product called PrivaGPT, which provides governance for large language models (LLMs). This is a crucial area, as it is important to ensure that control is maintained over LLMs used by employees in an organization. This helps prevent situations where sensitive information, such as details about a $5 million deal, may be inadvertently leaked.
Our tool identifies different types of risks, such as personal, financial, health, and confidential risks. We provide domain-level summarization and create synthetic prompts that retain context, but change the information in a way that makes it impossible to connect back to the original data. This ensures that information remains private even if it goes public. A CISO or DPO can view a holistic dashboard that displays risks, mitigations, and overall summaries of risk categories. This allows them to report to the board on how risks have been mitigated.
Angad Gill: "This is amazing stuff, Abhilash! How does one get in touch with PrivaSapien? And how do people reach out to you?"
Abhilash Soundarajan: You can get in touch with us on LinkedIn, or by contacting us at PrivaSapien.com. Social media is another option, but I would say LinkedIn is the primary way. Thank you.
Written by
