Making privacy simple for businesses: Why we invested in PrivaSapien
Bhanu was in a meeting when he received the message from his bank. His credit card had been swiped for a transaction worth Rs 1.5 lakh to buy a mattress. He was instantly alarmed and called his bank to cancel the transaction.
Seema was trying to apply for a home loan. This was the first time she was applying for a loan of any kind. But to her surprise and horror, her application was denied because of a low credit score. Seema was perplexed. When she checked her credit entries, it became evident that someone had misused her financial details to avail of a fake loan and then defaulted. They had all her details — her bank account and Aadhaar numbers, and PAN card details. It took her the better part of a year to clear the situation with the authorities, and her dream to own her house had to be put on hold for that duration.
These are harrowing but true incidents. Unfortunately, not only are they common in today’s digital age but also growing rapidly. The growth in digitization brings immense benefits – analysis of customer data enables increased inclusion, cost efficiencies, increased convenience and personalisation. However, it also makes the users more vulnerable to the due to breach of their personal data – such as identity theft, digital frauds, lack of privacy, etc. Especially for the whole new set of users such as India’s Next Half Billion that are coming online for the first time, such experiences can be demotivating.
Beyond individuals, the breach of personal data also affects businesses. From e-commerce websites to your food ordering app, your online streaming service to an online education class, all businesses need to store & analyse some amount of data in order to deliver better services to customers. These businesses risk losing customer loyalty, market reputation and paying high penalties in case of breaches. A Centrify study, for example, found that 65% of data breach victims lost trust in an organisation as a result of the breach. Another report by IBM found that customers’ personally identifiable information (PII) was the most common (44%) and costliest type of data breach, costing ~Rs 14,800 ($180) per lost or stolen record.
Global privacy laws are also increasingly placing data protection & compliance obligations on organisations such as conducting regular privacy audits as well as place necessary safeguards to protect PII data. Non-compliance invites heavy fines and penalties. India’s recently published draft of Digital Personal Data Protection Bill also proposes fines as high as Rs 250 crore on businesses that fail to take “reasonable security safeguards” to prevent personal data breaches. The European Union’s General Data Protection Regulation (GDPR) says that organisations that do not meet the prescribed privacy obligations may experience fines of up to 4% of a firm’s revenues.
Hence, It is imperative that businesses take immediate steps to assess potential breaches of their customers’ data and crucial to ensure that digitization & data analysis is done in a responsible, privacy preserved manner. This was the guiding principle for Abilash Soundararajan to set up PrivaSapien. With his experience of over 17 years in cybersecurity, Abilash could foresee the risks of privacy violations if privacy engineering is not integrated into data pipelines of organizations. Based on patented privacy technology algorithms, PrivaSapien’s vision is to enable businesses to conduct privacy preserved handling of customers’ data.
Currently most processes to ensure privacy compliance and safeguards in data sharing are done manually, making it time and cost intensive. End-to-end implementation of these methods can take anywhere between three to six months. Apart from the time taken, Human error is the most common cause of data breaches. Often, this happens when databases are shared downstream to another team, internally or third party for analysis, and access to the personal information of customers is exposed to vulnerabilities. These incidents have therefore brought a greater focus on securing personal data, such that it is not possible to identify the customer directly or by linkage with other datasets in case the data is breached. Data anonymization is one such technique that anonymizes the personal data and reduces reidentification.
The partially automated products that exist currently are preliminary, template-based solutions without artificial intelligence capabilities for assessment and recommendations. Globally and in India, automated solutions are barely effective. Gartner predicts that over 40% of privacy compliance technology globally will rely on AI solutions by 2023, up from 5% in 2020.
With this context in mind, PrivaSapien is working to develop automated tools using privacy enhancing technologies (PET). Currently the team has built & launched two solutions using their patented technology. These solutions that make it easier for organizations to adopt privacy preserving techniques, and eventually help the end-customer build greater trust in online data-sharing systems.
The first product, called Privacy X-Ray, is an automated privacy audit tool, that generates a privacy risk assessment score and a detailed privacy risk report for a dataset, therefore guiding businesses in designing their privacy journey and reducing the time taken for such audits from weeks (by contemporary methods) to minutes. The second product, called Event Horizon, anonymises personal data in a dataset to make it shareable downstream in a privacy-preserved manner. Its algorithm ensures to remove reidentification & data linkage possibilities while simultaneously retaining valuable insights in the dataset. It is estimated to be 80% more effective retention of business insights in the anonymized data than other conventional methods (e.g. tokenization & masking). It also provides mathematical proof of its privacy preservation technique, further increasing customers’ trust in the method. The dynamic anonymisation is contextual to the sector and the degree of anonymisation can be controlled based on end-user sensitivity and AI processing requirements (e.g. sharing internally vs third-party).
Our thesis
By enabling businesses to conduct automated, faster, in-house and low-cost privacy risk assessment and anonymization of datasets, PrivaSapien will help enhance the online privacy and safety of individuals in the digital economy, especially as more Indians come online for the first time. It will also accelerate adoption of responsible data practices by both large and small businesses.
PrivaSapien is a category-creating business. We belive its solutions will reduce harm by enabling businesses to be privacy compliant and adopt responsible data handling practices. Additionally, we expect that by demonstrating commercial and technical success of a productized PrivacyTech solution, PrivaSapien will attract imitators and other players to develop commercially viable privacytech solutions, thereby moving the sector forward and enabling better privacy for the Next Half Billion.