Podcasts
Data Security Decoded
Ep 46
Data Security Decoded 3.3.26
Ep 46 | 3.3.26

AI Moves Fast. Privacy Has to Move Faster.

Show Notes
Transcript

Ojas Rege: The topic that we're discussing here, data and cloud summary, this has actually been core to privacy for a long time, right? Kind of, it's not necessarily a new topic. There are some, you know, new things in the geopolitical landscape that are increasing the emphasis on it. But this has been the case since day one of privacy. There's this notion of data transfers that's kind of fundamental to privacy, which is: I'm the citizen or the resident of a particular country. You, the service provider, the website, whoever it is, has collected information about me. What other countries are you sending that information to? [ Music ]

Caleb Tolin: Hello, and welcome to another episode of "Data Security Decoded." I'm your host, Caleb Tolin. And if this is your first time joining us, welcome to the show. Make sure you hit that Subscribe button so you're notified when we drop new episodes. And if you're a returning subscriber, thanks for spending some more time with us. Give us a rating, drop a comment below. Let us know what you think about this episode and the show in general. Your feedback really helps me understand what you want to hear more about. And it helps us reach more listeners, just like you, who are eager to learn more about improving risk across their business. Now, today, I had a great conversation with Ojas Reje, the SVP and GM of Privacy and Data Governance at OneTrust. And we discussed how organizations can approach data privacy and governance as they begin their AI transformation and navigate the increasingly complex geopolitical environment. Not an easy subject to get into, but let's get into it. [ Music ] Ojas, welcome to the podcast. I'm so excited to have you on. I think we're going to have a really impactful conversation around data governance and data privacy. But before we dive into that, I would love to know, what is something that you're obsessed with lately that has nothing to do with security, AI, or any of this like tech mambo-jumbo that we're going to spend a lot of time talking about?

Ojas Rege: Ooh.

Caleb Tolin: I'll go first. Mine has been these little like desk figurines that I've been kind of filling my workstation with a bit. I have like a little Pokémon little figurine here that I recently, I think I mentioned this in one of my -- one of the previous episodes, but I recently got back into Pokémon from when I was a kid. But how about you? What's something that's not related to security, AI, or tech?

Ojas Rege: For me, I'm a big comic book collector. And so I'm always like scouring eBay, you know, for fun things that might be up. And my biggest find is, over the course of the last couple of weeks, there was a couple of folks, probably about my age, who started collecting comics in like the '70s, who, you know, one reason or another, decided to get rid of their stuff. And they're selling it for like really reasonable prices. And so I'm like every day checking out, you know, what they got. And I'm not sure where I'm going to put it all. But, you know, you worry about those things later.

Caleb Tolin: I love that. Are you more of a DC or a Marvel guy?

Ojas Rege: Marvel.

Caleb Tolin: Marvel, awesome. Well, thanks for sharing that. And to get into the meat of the conversation here on data privacy and governance, let's first start talking about AI. I think we're going to spend a lot of time talking about AI since it's so relevant to data governance and data privacy. So with the rise of AI in the enterprise, specifically as enterprises are deploying, sometimes at scale, hundreds of AI agents across their business, what does that fundamentally mean for data privacy?

Ojas Rege: Well, what it means is that there's a whole bunch of different ways you might very quickly use data that you weren't doing before. So like I view AI as, it gives you, as an organization, the ability to do a lot of stuff, right? Scale up your operations. That means you can do a lot of great stuff and create a lot of great opportunities quickly. It also means that you can do a lot of bad stuff quickly. And this is the challenge with privacy, which is that if there is really a privacy issue, historically pre-AI, yes, you might have done something, might have exposed that issue. But now with AI, everything, especially if you have agents, it's moving, you know, a thousand times as fast. So you have the potential of really causing harm, right, to your customers, to your constituents if you really haven't thought about the risk management effectively in advance. So it just scales up the good, and it can scale up the bad.

Caleb Tolin: Right, right. That's a really consistent -- or a concise way of saying that. And so agentic AI systems are definitely designed to repurpose data dynamically, but under rules like GDPR and the EU AI Act, where does purpose limitation genuinely break down, and where are organizations misunderstanding the risk?

Ojas Rege: So the central premise of the notion of purpose in privacy legislation is that I'm an individual, I own my data, I let you, the service provider, use it for a particular purpose. So I give you permission, consent, to use it for a particular purpose. So you can't use it for something else, right? And so that's called purpose limitation. Because if you come to me and say, hey, you know, Ojas, can I use your contact information to be able to send you, you know, some weekly literature about the product that you're using? And I'd be like, okay, go ahead and do it. But if you can't even say, hey, Ojas, can I start using your personal contact information to, you know, create targeting mechanisms to be able to sell you more stuff in an XYZ way? I may say, no, I don't want that. Now the challenge is -- And that's fundamental to privacy in every single regulation. If you are going to do something else with the data, you have to get consent for that something else, that new purpose. The challenge with AI is the following, which is an AI model is general-purpose. You can use an AI model for anything. You could use it for personalization use cases. You could use it for product development use cases. It can do a lot of stuff. And so what I always tell customers how to think about this notion of purpose limitation is think about the data set you have that is personal information. If you are using -- if you're applying AI to that data set to do the same thing that you got consent for, so the customer said, hey, I want a personalized web experience, and you're using AI to deliver them a personalized web experience, it's the same purpose. You're okay. But if you're training that AI system, those AI models, on that personal data, now you've got a problem because now that data could be used for anything else in the context of that model. So I think, at the high level, the key thing to always ask is, you've got this personal information, what are you using it for? Now that you're applying AI to it, are you still using it for the same thing? If so, then you know what, you're probably okay. If, because you now have AI, have you introduced 15 more uses of it, well, then you better reconsider the consent that you got and go back to your consumers and see if they're okay with all these new uses you have. And you've got to be very clever about how you do that, obviously, and be transparent.

Caleb Tolin: Right, right. Otherwise, you can put yourself in quite the legal pickle for sure.

Ojas Rege: Yeah, and I think there's two things here. You can put yourself in the legal pickle, but also transparency drives trust. You can't have trust without transparency. And I think in an AI world, consumer trust, customer trust becomes increasingly important because if I do something to damage that consumer or damage the trust, and it can be a variety of things I might end up doing, it's very difficult to get it back. So I always think about, you know, you've got to wrap your arms around AI risk, not just because there's a law potentially for privacy or for AI, but because you don't want to take on business and operational risk that's going to harm what you do, right, as a living.

Caleb Tolin: Right, absolutely. And I love what you had to say about trust there. And I kind of want to talk about trust in a slightly different aspect, kind of getting a little away from what we're talking about with AI here, and I want to talk a little bit more about cloud. Because the concept of cloud data sovereignty has grown in immense popularity, especially in European organizations who are concerned about these major cloud providers, you know, GCP, Azure, AWS, that are typically US-hosted businesses, having access to -- or all of their data is hosted through these businesses that are US-based or maybe based in a different domain. And they're kind of concerned for the geopolitical issues that could arise from that, depending on political volatility and things like that, based in the host nation. So, for European organizations that are concerned about this issue, what can they do today to start giving them peace of mind, knowing that their data privacy isn't being infringed upon?

Ojas Rege: The topic that we're discussing here, data and cloud sovereignty, this has actually been core to privacy for a long time, right? Kind of, it's not necessarily a new topic. There are some, you know, new things in the geopolitical landscape that are increasing the emphasis on it. But this has been the case since day one of privacy. There's this notion of data transfers that's kind of fundamental to privacy, which is: I'm the citizen or the resident of a particular country. You, the service provider, the website, whoever it is, has collected information about me. What other countries are you sending that information to, right? Like this whole notion of information about the residents of my country being sent to other countries, either without their permission or without their knowledge, or in a way where their privacy is not protected has been fundamental since the beginning of the GDPR. So what do you do, right? What is the path people take? And I think that path continues to be the same. The urgency might change based on, you know, geopolitical, you know, kind of attributes, if you will, or the environment. But the path is the following, is I need to understand. So let me look kind of inside my company first. I need to understand what data I have about who. And once I understand what data I have about who, then I need to understand, is that data ever moving anywhere else? And that requires me to have visibility within my organization for that data. And then all that information is mapped into, you know, systems like OneTrust or others, where you actually start mapping out where those transfers go. And then if that data is moving somewhere else, then you know you might have a new risk assessment you have to do. There might be new actions you have to take. There might be new data, you know, kind of mitigations or remediations you have to do as well. So within your company, if you invest the time and energy, you can get a pretty good sense of that. The big blind spot for organizations is the software supply chain. And AI actually makes this actually more complicated. So this is why, along with geopolitical forces, the advent of AI makes this a more difficult problem. Because my data is stored, to your point, in some other system, some application provider. And even if I feel comfortable with that application provider, do I know what application providers they're using and what's happening down that chain? This becomes a little bit challenging. And so what it means is, you know, at the high end, maybe it's a little bit of an unsolvable problem. But I can take practical -- I can do the right practical thing, which is, first of all, I need to understand where is, from a privacy perspective, the sensitive personal information. And I need to, as a company, I need to have a really good sense of what systems I'm putting it in and prioritize an understanding of those systems around things like data sovereignty or cloud sovereignty before I focus on anything else. I may never be able to get to 100% of my company, but let's do the 80/20 rule, more 90/10 is probably more accurate, and find the most sensitive sets of data I have, identify the systems that access them, ask myself what those systems are doing, work with those vendors if I need to, and make sure that all that information, all that risk assessment is kind of captured in a system of record so I can guarantee that I know where information of my customers or employees or other personal data is actually going. It's a tough problem with no 100% solution, but that's how you start approaching it. And the secret sauce is to be able to prioritize your systems and not get just kind of paralyzed by the complexity of the systems that you have and the kind of constant ebbs and flows in the geopolitical landscape.

Caleb Tolin: Absolutely, yeah. We had a conversation with Hayden Smith back in December about just this topic of talking about software supply chains. And it was a slightly different conversation, you know, a different flavor, more focused on the security angle, more so than privacy. But mapping your dependencies was one thing we talked a lot about then. So for anyone who is listening who hasn't already caught that episode, go check it out. But I absolutely agree with what you're talking about. It's a big challenge, and it's something that we'll continue to need to address long-term.

Ojas Rege: I was thinking, there's one other interesting twist to data sovereignty that's related to AI. And that is that historically, all privacy legislation that's ever existed in any country, in any state, in any province, anywhere around the world, has really been there for one thing, to prevent harm to the human being, right, that their data is not misused for something that would create harm. It's all been harms based. But with the advent of AI, countries are also realizing that the data of their citizenry needs to be protected, not just so their citizens aren't harmed, right? But also because that data has economic value for AI. So anyone who has access to the data of a citizenry for whatever system they have is going to do a way better job of providing services, doing personalization, you know, targeting, for good or bad, the citizens of that country. So there's a new twist here where these data sovereignty notions are there, not, you know, or are arguably there, not just kind of as, you know, dealing with harm, but also shifting around as nation states think about what is the economic value of all this data I have on my citizens. And how do I make sure it's not like, you know, siphoned off to some AI system that is going to deliver that value to another country instead of me?

Caleb Tolin: Right.

Ojas Rege: It gets more complicated every day.

Caleb Tolin: It does. It does. They're not making it easy for the folks on the defenders of the enterprise side. So I do want to shift more into the AI conversation again. I know we were chatting a little bit about cloud there. But a lot of criticism around some of these AI regulations, like the EU AI Act that I mentioned earlier, is that it's kind of a brake on innovation, right? So, from your vantage point, how can strong privacy and data governance policies really accelerate agentic AI deployment rather than just slow it all down?

Ojas Rege: Yeah. I think it's always good to think about analogies here. Because this is the key question, right? I mean, it's like if I do good governance, am I going to inhibit my innovation? And that's a compromise we have to break. We have to get out of that mindset. We have to govern well and move fast. It's not 'or.' It has to be an 'and.' And if the governance organizations cannot do that, they will fail, right? So this is like the new world is both these things need to happen. And the example that I like, the analogy that I like is software development, right? So, you know, every single software development team anywhere in the world, like there's a couple of things that they truly understand. Like it doesn't matter where they operate. One is that the sooner you find a bug, the cheaper it is to fix. If your engineer who wrote the code finds a bug, cheap to fix, none of your customers are impacted, no impact on the business. The engineer misses it, and the quality assurance department finds it, a little bit more expensive to fix, right? And then you got to send the code back to the engineer and, you know, maybe it has other dependencies and so forth. But I'm still okay. No customer has been impacted. If that error makes it into market, now I've got a problem because now customers are being hurt. Very expensive to fix, reputational damage, potentially business damage. AI is the same way. Once I have an AI system trained and built, if I have built that system with inadequate guardrails, inadequate security, inadequate privacy, then it's only a matter of time before it causes harm, right? And then I got one of two options. Either I can continue to cause harm, not going to work, bad for my business. Or I've got to roll the whole thing back, which means my competitors have a two-year lead on me. So you've got to build this stuff from day one. This notion of privacy by design has existed a long time. But it's very relevant for AI, because you can't retrofit privacy onto an AI system that's already built. Let's say that's a system that is determining medical procedures or making decisions about employment, like hiring, or making law enforcement decisions, or deciding whether or not you get a loan. These systems, especially in the AI world that scales, will start making decisions really, really quickly. And if you haven't thought about safety and privacy in advance and built it in the system, then you haven't really got an understanding of your risk. And inevitably, you will not be able to sustain the long-term value of that operation. So I always think about responsible AI as a principle, as not something that is there just because it's good for ethical reasons. It is, but it's actually good for business reasons, because it allows you to sustain the ROI of AI. So now, your question around regulations, well, the challenge with AI regulations right now is they're kind of all over the map, right? Some exist; some don't. You know, there's always kind of, you know, a confusion around what's going to happen, when, and so forth. But we need to think of AI risk as not just compliance risk, but operational and business risk. So what I always tell our customers is you've got to think about a regulation-agnostic approach to AI governance. You've got to look at your business and figure out what the risks are that are most important to your business. And if your AI systems went wrong, how could they harm the business? Those are the risks you look at. And then absolutely, as regulation emerges, you make sure that if there's any tweaks you have to do to, you know, abide by the regulation, that you do that. But chances are the regulation is going to evolve in that same direction. So when regulation will slow you down is if you look at regulation as a gatekeeper at the end of the process. If you look at regulation as a set of guidelines that you should design into your product from day one, then it's actually going to speed you up over time because you're not going to have to go back and retrofit work that you've already done. So that's a real mindset shift, right? It's not really about the regs. It's about what are the policies I need to have to ensure my AI systems are responsible, meaning they're safe, they give me great business outcomes, and I can maintain their value over the long run.

Caleb Tolin: Right, absolutely. So what are two or three actionable steps that you would like to see organizations take today to improve their AI governance strategy from a data privacy and governance perspective?

Ojas Rege: First thing, you've got to become literate in AI, right? Organizational literacy around AI is absolutely fundamental. If you're responsible for governing AI, you've got to use AI. You've got to understand AI. You don't need to be a data scientist, but you have to be credible talking to a data scientist. So that means people in traditional governance, privacy, risk roles, which many times are not technical roles, sometimes they are, but many times they're not, there's a learning curve, right? So I always tell folks that this is part of, you know, kind of job qualifications moving forward. You've got to understand AI. You've got to use it in your personal life. You've got to use it in your professional life. You've got to follow it. You've got to understand it. You don't need to understand how the models work, but you've got to understand the inputs and the outputs. So that's number one, organizational literacy. Otherwise, nothing else happens. Number two is you just have to come to grips with the fact that AI is ubiquitous. It's not this discrete thing. Every line of code that you have in your company, every data set that you use, every business process you have in the next three years is going to be touched deeply by AI if it hasn't been already. That means there isn't any part of your organization that doesn't have AI in it. So now, suddenly, if you're responsible for figuring out risk, that feels overwhelming, right? But if you go in with the concept that it's ubiquitous and that you need appropriate prioritization framework to figure out where to focus first and last, then you'll have the starting point to success. Without that mindset and without, you know, having a system to prioritize where you focus your efforts, you're going to fail. You're going to be overwhelmed. And so the practical implication of that is that you should think about what do you fast path, where you just spend minor, you know, minor oversight, and then where are the AI initiatives that either touch very sensitive data and could go therefore horribly wrong, or are fundamental to your business model and spend 90% of your time on that. So organizational literacy, the acceptance that AI is ubiquitous, and the creation of a prioritization framework are three really good starting points for an organization.

Caleb Tolin: Right. Absolutely. I could not agree more. Well, Ojas, thank you so much for spending some time with us today. I think this is a really valuable episode for our listeners who are tuning in. Is there anything else that you'd like to leave them with as we're kind of wrapping up here?

Ojas Rege: Well, I think, you know, this is an inflection point. I mean, there's a lot of things that people call inflection points. But I do believe we're at a critical juncture in the way that machines and humans interact. And the world forward, you know, moving forward, is going to be different than the world of the past, and we can't predict what those changes are. So I would encourage everyone, just as a final point, to remember that our ability to tolerate ambiguity and to operate in a fast-moving, ambiguous world may be more important now from a professional perspective than it's ever been, thanks to AI and the pace of technology that it enables.

Caleb Tolin: Absolutely. Wonderful. Well, thank you so much for joining us again, and until next time.

Ojas Rege: Thank you, Caleb. It's been great being here. Thanks for having me on. [ Music ]

Caleb Tolin: That's a wrap on today's episode of "Data Security Decoded." If you like what you heard today, subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about. And if you want to email me directly about the show, send us an email at data-security-decoded@n2k.com. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes Senior Producer Alice Carruth and Executive Producer Jennifer Eibin, Content Strategy by Mayim Plaut, Sound Design by Elliott Peltzman, Audio Mixing by Elliott Peltzman and Trey Hester, Video Production and Support by Bridget Crickey-Wild [assumed spelling] and Sorrel Joppe. [assumed spelling] Until next time, stay resilient. [ Music ]

Data Security Decoded
Podcast Info
HOST(S):
Caleb Tolin
As the host of Data Security Decoded, Caleb Tolin dives deep with cyber experts to deliver actionable, vendor-agnostic insights to reduce data security risks and improve cyber resilience outcomes. Caleb asks the incisive questions that you need answered, extracting actionable guidance for defenders. Come be obsessed with improving your organization's cyber resilience.
Schedule: Two times per month. Every other Tuesday.
Credits: Data Security Decoded is a podcast by Rubrik.
Creator: Rubrik
Data Security Decoded