Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

When Privacy Scales - Intelligent Product Design under GDPR


Published on

Data-driven companies making intelligent products must design for security and privacy to be competitive globally. The EU General Data Protection Regulation (GDPR), implemented May 2018, is the benchmark that global data privacy will be measured against.

This presentation outlines the basic tenets of personal data and details the high-level changes that GDPR-compliant businesses face. It translates the current and near-future impact to teams designing products driven by machine learning and artificial intelligence and shares use cases of how SAP Concur is designing to meet this challenge while still delivering services to its end users that are driven by advanced algorithms.

Presented at The AI Conference, San Francisco, September 2018

Published in: Software
  • Login to see the comments

When Privacy Scales - Intelligent Product Design under GDPR

  1. 1. When Privacy Scales Intelligent Product Design Under GDPR Amanda Casari Principal Product Manager + Data Scientist Concur Labs @ SAP Concur @amcasari#TheAIConf
  2. 2. CREDITS: NASA EARTH OBSERVATORY IMAGES BY JOSHUA STEVENS, USING SUOMI NPP VIIRS DATA FROM MIGUEL ROMÁN, NASA'S GODDARD SPACE FLIGHT CENTER privacy paradox #1 • Users growing more savvy + cautious about technology • Users demand higher levels of personalization + content transfer across ecosystems @amcasari#TheAIConf
  3. 3. privacy paradox #2 • Data flywheels drive our ability to deploy AI products at scale • “Bias flywheels” negatively, unevenly + unfairly impact communities at scale CREDITS: NASA EARTH OBSERVATORY IMAGES BY JOSHUA STEVENS, USING SUOMI NPP VIIRS DATA FROM MIGUEL ROMÁN, NASA'S GODDARD SPACE FLIGHT CENTER @amcasari#TheAIConf
  4. 4. CREDITS: NASA EARTH OBSERVATORY IMAGES BY JOSHUA STEVENS, USING SUOMI NPP VIIRS DATA FROM MIGUEL ROMÁN, NASA'S GODDARD SPACE FLIGHT CENTER privacy paradox #3 • Enterprise software maximizing new market growth must be able to repeatably scale technology solutions • Regulatory standards for privacy widely vary across geographic regions, even within countries CREDITS: NASA EARTH OBSERVATORY IMAGES @amcasari#TheAIConf
  5. 5. data: beyond the bits @amcasari#TheAIConf
  6. 6. data: beyond the bits HTTP://WWW.DEAR-DATA.COM/THEPROJECT …a “personal documentary” rather than a quantified-self project which is a subtle – but important – distinction. Instead of using data just to become more efficient, we argue we can use data to become more humane and to connect with ourselves and others at a deeper level. Dear Data Giorgia Lupi + Stefanie Posavec @amcasari#TheAIConf
  7. 7. data: beyond the bits …based on people’s online expressions, capitalizing on data-rich social media, and we’re measuring how people present themselves to the outside world. Hedonometer UVM’s Computational Story Lab HEDONOMETER.ORG @amcasari#TheAIConf
  8. 8. data: beyond the bits Automated systems are not inherently neutral. They reflect the priorities, preferences, and prejudices - the coded gaze - of those who have the power to mold artificial intelligence. Gender Shades Algorithmic Justice League @amcasari#TheAIConf
  9. 9. privacy: a primer @amcasari#TheAIConf
  10. 10. privacy: a primer • US: “right to privacy” cobbled together via case law (Supreme Court) • “The right to privacy refers to the concept that one's personal information is protected from public scrutiny.” …so what could be personal information? …does this apply equally across all forms of information? @amcasari#TheAIConf
  11. 11. privacy: a primer Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media. @amcasari#TheAIConf *PII in US
  12. 12. privacy: a primer Race (Civil Rights Act of 1964) Color (Civil Rights Act of 1964) Sex (Equal Pay Act of 1963; Civil Rights Act of 1964) Religion (Civil Rights Act of 1964) National origin (Civil Rights Act of 1964) Citizenship (Immigration Reform and Control Act) Age (Age Discrimination in Employment Act of 1967) Pregnancy (Pregnancy Discrimination Act) Familial status (Civil Rights Act of 1968) Disability status (Rehabilitation Act of 1973; Americans with Disabilities Act of 1990) Veteran status (Vietnam Era Veterans' Readjustment Assistance Act of 1974; Uniformed Services Employment and Reemployment Rights Act) Genetic information (Genetic Information Nondiscrimination Act) @amcasari#TheAIConf *Legally recognized ‘protected classes’ in US
  13. 13. privacy: a primer …does this apply equally across all forms* of information? No…. And this is still evolving. * e.g. papers on your desk at work, your journals at home, your logins at work, data from cloud services, data stored on your phone @amcasari#TheAIConf
  14. 14. privacy: a primer EU: General Data Protection Regulation (GDPR) defines personal data… …creates a general law to protect it (That’s really it. ¯_( )_/¯ ) @amcasari#TheAIConf
  15. 15. Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. @amcasari#TheAIConf - European Commission
  16. 16. privacy: a primer …okay, so what exactly is personal data under GDPR? • a name and surname • a home address • an email address such as • an identification card number • location data (for example the location data function on a mobile phone) • an Internet Protocol (IP) address • a cookie ID* • the advertising identifier of your phone etc…. @amcasari#TheAIConf
  17. 17. privacy + intelligent products @amcasari#TheAIConf
  18. 18. General Data Protection Regulation Data Subject Rights • Breach Notification • Right to Access • Right to Be Forgotten • Data Portability • Privacy by Design • Data Protection Officers
  19. 19. privacy + intelligent products @amcasari#TheAIConf @MROGATI Monica Rogati The AI Hierarchy of Needs Think of AI as the top of a pyramid of needs. Yes, self- actualization (AI) is great, but you first need food, water and shelter (data literacy, collection and infrastructure).
  20. 20. right to access privacy by design data portability right to be forgotten @MROGATI @amcasari#TheAIConf privacy + intelligent products
  21. 21. right to access privacy by design data portability @MROGATI @amcasari#TheAIConf privacy + intelligent products right to be forgotten
  22. 22. right to be forgotten @amcasari#TheAIConf
  23. 23. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible. @amcasari#TheAIConf - European Commission
  24. 24. right to be forgotten @amcasari#TheAIConf KI-Protect …secure your data by letting you enable pseudonymization and anonymization of data fields on the fly
  25. 25. right to be forgotten Concur Labs Washing Machine Anonymization of personal data in natural language Privacy engineering at scale @amcasari#TheAIConf
  26. 26. right to be forgotten @amcasari#TheAIConf Concur Labs ML Experimentation in Hackathons Synthetically generated datasets to statistically represent customer data No access to customer data platforms needed for AI/ML experimentation + innovation
  27. 27. privacy by design @amcasari#TheAIConf
  28. 28. @amcasari#TheAIConf old new idea: reciprocal data applications privacy by design Google Quick, Draw!
  29. 29. @amcasari#TheAIConf privacy by design Stitchfix Human-in-the-loop processes old new idea: overt data collection through product services
  30. 30. @amcasari#TheAIConf privacy by design DrivenData Deon old new idea: general + specific subject matter expert reviews First and foremost, our goal is not to be arbitrators of what ethical concerns merit inclusion.
  31. 31. “Privacy is not something that one has, but something that one seeks to achieve. It requires constant negotiation as information flows and contexts shift. To achieve privacy in a networked world, people must actively try to manage the various social situations in which information is accessed, consumed, interpreted, and shared. They cannot simply focus on restricting the flow of information; they must also account for the ways in which information is inferred and used.” - Reframing Privacy, Data & Society @amcasari#TheAIConf
  32. 32. privacy: a primer @amcasari#TheAIConf Partnering organizations New America's Open Technology Institute Brooklyn Public Library Metropolitan New York Library Council Data & Society Data Privacy Project [teaches]… how information travels and is shared online, what risks users commonly encounter online, and how libraries can better protect patron privacy. Its trainings help support libraries’ increasing role in empowering their communities in a digital world.
  33. 33. X @amcasari#TheAIConf go beyond opt-in/opt-out build for users dial-up + down privacy easy to see tradeoffs on-device services privacy by design
  34. 34. @amcasari#TheAIConf privacy by design Concur Labs MapIt Overt user data collection Privacy engineering on- device Basic map app with location obscuring for anonymized data options
  35. 35. privacy by design Concur Labs PolicyBot Enterprise reciprocal data application Human-in-the-loop evaluation process Constrained Q+A bot to answer travel + expense policy questions @amcasari#TheAIConf
  36. 36. future next now
  37. 37. thank you @amcasari#TheAIConf @SAPConcur @ConcurLabs