MC: Machine learning is certainly a key area of focus for us and we use it alongside techniques drawn from many areas of mathematical, statistical and information theory to create the algorithms and prototypes that form the basis of our products.

A lot of what we do involves de-constructing data processing techniques to understand where they may result in privacy risks. We then produce privacy-enhanced versions of these techniques to enable the processing while minimising privacy risk, or at the very least equipping organisations to make well-informed decisions around the use of their data.

A core part of any of these offerings is the ability objectively to quantify the privacy risks a dataset or analytical output contains. This is where Truata Calibrate comes in, measuring the singling out, linkability and inference risks, while also taking an attack-based view to quantify the likelihood of a breach.

Embedding privacy-by-design and privacy-by-default principles can mean changing how analytics are performed, for example, by allowing data to be processed or analysed without allowing access to the underlying data. As above, this first requires the ability to quantify the privacy risks within the data and outputs, so we use our solution to achieve this.

DIQ: How much human supervision is required and could this ultimately become automated?

MC: We seek to automate as much of the process of quantifying and mitigating privacy risks as possible. Truata Calibrate can automatically quantify all sources of privacy risk and make recommendations for privacy-enhancing transformations that can be applied. Human intervention is required to ensure that organisational standards and domain knowledge are applied correctly. We always seek to provide options for full interactivity or automation, so our products can be configured to suit the particular needs of each customer.

DIQ: Regtech (regulatory technology) has been a growth area - do you see it as fertile ground for the application of data science, perhaps because of the complexities involved?

MC: Absolutely. We’re seeing a huge shift towards using sophisticated data science methodologies in the field of regtech. In the first phase of this, manual or low-tech solutions were being digitised and made available in centralised locations such as digital data catalogues.

The next phase, which Truata is driving, sees regulatory technology becoming a lot more automated and proactive in supporting the human experts within an organisation to handle the masses of data they control and the increasing number of data projects they’re being asked to review and approve.

There’s also a movement within chief data officer (CDO) circles to move away from being a cost centre and towards a profit centre. By understanding deeply the risks and uses of all data silos within their organisation, the CDO can unlock lucrative analytics opportunities to drive business growth, operational efficiencies and data monetisation. These can all be measured in terms of their impact on a company’s P&L and so the CDO transitions to be more commercially profitable.

DIQ: Was this an innovation that needed to be built from the ground-up, or have you been able to leverage preceding solutions and approaches?

MC: We have phenomenal people in our data science, engineering and product functions, all with deep expertise in their respective fields. We also maintain links with academic researchers and keep up-to-date with developments in relevant academic fields. We use state-of-the-art research and commercial developments, and apply our own creativity to develop our novel suite of products. We build them from the ground up using new algorithms, but informed by what’s happening in the market and the relevant experiences of our team.

DIQ: How have you been able to make the risk assessments explicable for clients to avoid the problem of it being a “black box” (and also to meet GDPR, of course!)

MC: We provide very detailed risk reports in ways that different stakeholders can understand. We seek to provide high-level risk metrics so that executive-level stakeholders can quickly review the overall risk profile of data analytics programmes. These top-level metrics give way to several levels of drill-down, where technical and legal stakeholders gain insights related to their specific areas of expertise.

We always seek to utilise familiar language in our risk reports, drawing from official regulations and guidance from data protection authorities. Privacy practitioners are familiar with language surrounding “singling out”, “linkability” and “inference” and this is how Truata Calibrate presents the risks it finds. The underlying mathematical equations and proprietary algorithms drive this familiar vocabulary, so stakeholders at all levels can quickly interpret what the implications of the solution’s findings are.

DIQ: Finally, while this is a business-focused solution, do you see opportunities for data science in helping individuals to control their own privacy and data protection rights?

MC: Similarly to how we enables organisations to take control of their privacy risk management and make informed decisions as to how they store and process data, these techniques can equip individuals with an understanding of how the data that is held on their behalf may compromise their privacy.

A lot of the mistrust around how companies are using their data arises from a lack of transparency and understanding of how data is being stored and used. Communicating these aspects can help individuals to better understand how to control the use of their data and increase their level of comfort and trust in the companies they engage with.

In the future, individuals will be more empowered to control their own destiny with respect to what data is used by brands and we will see data-driven products being created that provide this level of control. Since this can be an incredibly complex thing to do, such products would need to intelligently capture and recommend how data should be collected and used.