A

You're listening to the Cyberwire Network, powered by N2K.

B

The topic that we're discussing here, data and cloud sovereignty. This has actually been core to privacy for a long time, right? Kind of. It's not necessarily a new topic. There's some new things in the geopolitical landscape that are increasing the emphasis on it, but this has been the case since day one of privacy. There's this notion of data transfers that's kind of fundamental to privacy, which is I'm the citizen or the resident of a particular country, you, the service provider, the website, whoever it is, has collected information about me. What other countries are you sending that information to?

A

Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolan, and if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when we drop new episodes and if you're a returning subscriber. Thanks for spending some more time with us. Give us a rating. Drop a comment below. Let us know what you think about this episode and the show in general. Your feedback really helps me understand what you want to hear more about, and it helps us reach more listeners just like you who are eager to learn more about improving risk across their business. Now, today I had a great conversation with ojis Raji, the SVP and GM of Privacy and Data Governance at OneTrust, and we discussed how organizations can approach data privacy and governance as they begin their AI transformation and navigate the increasingly complex geopolitical environment. Not an easy subject to get into, but let's get into it. Ojis, welcome to the podcast. I'm so excited to have you on. I think we're have a really impactful conversation around data governance and data privacy. But before we dive into that, I would love to know what is something that you're obsessed with lately that has nothing to do with security, AI or, or any of this, like, tech mambo jambo that we're going to spend a lot of time talking about? I'll go first. Mine has been these little like desk figurines that I've been kind of filling my workstation with a bit. I have like a little Pokemon little figurine here that I've recently. I think I mentioned this in one of my, one of the previous episodes, but I recently got back into Pokemon from when I was a kid. But how about you? What's something that's not related to security, AI or tech?

B

For me, I'm a big comic book collector and so I'm always, like, scouring ebay for fun things that might be up. And my biggest find is over the course of the last couple of weeks. There's a couple of folks probably about my age who started collecting comics in like the 70s who, you know, one reason or other, deciding to get rid of their stuff and they're selling it for like, really reasonable prices. And so I'm like every day checking out, you know, what they got and not sure where I'm going to put it all. But, you know, you worry about those things later.

A

I love that. Are you more of a DC or a Marvel guy or another Marvel? Awesome. Well, thanks for sharing that. And to get into the meat of the conversation here on data privacy and governance, let's first start talking about AI. I think we're going to spend a lot of time talking about AI, since it's so relevant to data governance and data privacy. So with the rise of AI in the enterprise, specifically as enterprises are deploying, sometimes at scale, hundreds of AI agents across their business, what does that fundamentally mean for data privacy?

B

Well, what it means is that there's a whole bunch of different ways you might very quickly use data that you weren't doing before. So, so like I, I, I view AI as, it gives you as an organization the ability to do a lot of stuff, right? Scale up your operations. That means you can do a lot of great stuff and create a lot of great opportunities quickly. It also means that you can do a lot of bad stuff quickly. And this is the challenge with privacy, which is that if there is really a privacy issue, historically pre AI, yes, you might have done something, might have exposed that issue. But now with AI, everything, especially if you have agents, is moving a thousand times as fast. So you have the potential of really causing harm, right, to your customers, to your constituents, if you really haven't thought about the risk management effectively in advance. So it just scales up the good and it can scale up the bad, Right?

A

Right. It's a really consistent or concise way of saying that. And so agentic AI systems are definitely designed to repurpose data dynamically, but under rules like GDPR and the EU AI act, where, where does purpose limitation genuinely break down and where are organizations misunderstanding the risk?

B

So the central premise of the notion of purpose in privacy legislation is that I'm an individual, I own my data, I let you, the service provider, use it for a particular purpose. So I give you permission, consent to use it for a particular purpose, so you can't use it for something else. Right. And so that's called purpose limitation. Because if you come to me and say, hey, Ojis, can I use your contact information to be able to send you some weekly literature about the product that you're using? And I'd be like, okay, go ahead and do it. But if you came to me say, hey, oh, just can I start using your personal contact information to, you know, create targeting mechanisms to be able to sell you more stuff in XYZ way, I may say, no, I don't want that right now. The challenge is so. And that's fundamental to privacy in every single regulation. If you are going to do something else with the data, you have to get consent for that something else. That new purpose challenge with AI is the following, which is an AI model is general purpose. You can use an AI model for anything. You could use it for personalization use cases. You could use it for product development use cases. It can do a lot of stuff. And so what I always tell customers how to think about this notion of purpose limitation is think about the data set you have that is personal information. If you are using, if you're applying AI to that data set to do the same thing that you got consent for. So the customer said, hey, I want a personalized web experience. And you're using AI to deliver them a personalized web experience, it's the same purpose. You're okay. But if you're training that AI system, those AI models on that personal data, now you got a problem, because now that data could be used for anything else in the context of that model. So I think at the high level, the key thing to always ask is, you got this personal information, what are you using for now that you're applying AI to it, Are you still using it for the same thing? If so, then you know what, you're probably okay if because you now have AI, have you introduced 15 more uses of it? Well, then you better reconsider the consent that you got and go back to your consumers and see if they're okay with all these new uses you have. And you got to be very clever about how you do that, obviously, and be transparent.

A

Right, Right. Otherwise you can put yourself in quite the legal pickle for sure.

B

Yeah. And I think there's two things here. You can put yourself in the legal pickle, but also transparency drives trust. You can't have trust without transparency. And I think in an AI world, consumer trust, customer trust becomes increasingly important, because if I do something to damage that consumer or damage the trust, and it can be a variety of things I might end up doing. It's very difficult to get it back. So I always think about, you know, you got to wrap your arms around AI risk, not just because there's a law potentially for privacy or for AI, but because you don't want to take on business and operational risk that's going to harm what you do. Right. For as a, as a living.

A

Right. Absolutely. And I love what you had to say about trust there. And I kind of want to talk about trust in a slightly different aspect, kind of getting a little away from what we're talking about with AI here. And I want to talk a little bit more about cloud, because the concept of cloud data sovereignty has grown in immense popularity, especially in European organizations who are concerned about these major cloud providers, you know, GCP, Azure, AWS, that are typically U.S. hosted businesses, having access to or all of their data is hosted through these businesses that are US based or maybe based in a different domain. And they're kind of concerned for the geopolitical issues that could arise from that depending on political volatility and things like that based in the host nation. So for European organizations that are concerned about this issue, what can they do today to start giving them peace of mind, knowing that their data privacy isn't being infringed upon?

B

The topic that we're discussing here, data and cloud sovereignty, this, this has actually been core to privacy for a long time. Right? Kind of. It's, it's not necessarily a new topic. There's some, you know, new things in the geopolitical landscape that are increasing the emphasis on it. But this has been the case since day one of privacy. There's this notion of data transfers that's kind of fundamental to privacy, which is I'm the citizen or the resident of a particular country, you, the service provider, the website, whoever it is, has collected information about me. What other countries are you sending that information to? Right. Like this whole notion of information about the residents of my country being sent to other countries either without their permission or without their knowledge, or in a way where their privacy is not protected, has been fundamental since the beginning of the gdpr. So what do you do? What is the path people take? And I think that path continues to be the same. The urgency might change based on geopolitical attributes, if you will, or the environment. But the path is, the following is, I need to understand. So let me look kind of inside my company first. I need to understand what, what data I have about who. And once I understand what data I have about who, then I need to understand is that data ever moving anywhere else? And that requires me to have visibility within my organization for that data. And then all that information is mapped into, you know, systems like OneTrust or others where you actually start mapping out where those transfers go. And then if that data is moving somewhere else, then, you know, you might have a new risk assessment you have to do. There might be new actions you have to take, there might be new data, you know, kind of mitigations or remediations you have to do as well. So within your company, if you invest the time and energy, you can get a pretty good sense of that. The big blind spot for organizations is the software supply chain. And AI actually makes this actually more complicated. So this is why, along with geopolitical forces, the advent of AI makes this a more difficult problem. Because my data is stored, to your point, in some other system, some application provider. And even if I feel comfortable with that application provider, do I know what application providers they're using and what's happening down that chain? This becomes a little bit challenging. And so what it means is, you know, at the high end, maybe it's a little bit of an unsolvable problem. But I can take practical, I can do the right practical thing, which is, first of all, I need to understand where is, from a privacy perspective, the sensitive personal information. And I need to, as a company, I need to have a really good sense of what systems I'm putting it in and prioritize an understanding of those systems around things like data sovereignty or cloud sovereignty before I focus on anything else. I may never be able to get to 100% of my company, but let's do the 8020 rule. More than 9010 is probably more accurate. And find the most sensitive sets of data I have, identify the systems that access them, and ask myself what those systems are doing, work with those vendors if I need to, and make sure that all that information, all that risk assessment is kind of captured in a system of record. So I can guarantee that I know where information of my customers or employees or other personal data is actually going. It's a tough problem with no 100% solution, but that's how you start approaching it. And the secret sauce is to be able to prioritize your systems and not get just kind of paralyzed by the complexity of the systems that you have and the kind of constant ebbs and flows in the geopolitical landscape.

A

Absolutely, yeah. We had a conversation with Hayden Smith back in December about just this topic of talking about software supply chains. And it was a Slightly different conversation, you know, a different flavor, more focused on the security angle more so than privacy. But mapping your dependencies was one thing we talked a lot about then. So for anyone who's listening, who hasn't already caught that episode, go, go check it out. But I absolutely agree with what you're talking about. It's a big challenge and it's something that we'll continue to need to address long term.

B

I was thinking there's one other interesting twist to data sovereignty because that's related to AI and that is that historically all privacy legislation that's ever existed in any country, in any state, in any province, anywhere around the world has really been there for one thing, to prevent harm to the human being. Right. That their data is not misused for something that would create harm. It's all been harms based. But with the advent of AI, countries are also realizing that the data of their citizenry needs to be protected, not just so their citizens aren't harmed. Right. But also because that data has economic value for AI. So anyone who has access to the data of a citizenry for whatever system they have is going to do a way better job of providing services, doing personalization, targeting for good or bad, the citizens of that country. So there's a new twist here where these data sovereignty notions are. They are not, you know, are arguably there. Not just kind of as, you know, dealing with harm, but also shifting around as, as, as nation states. Think about what is the economic value of all this data I have on my citizens and how do I make sure it's not like, you know, siphoned off to some AI system that is going to deliver that value to another country instead of me.

A

Right.

B

Gets more complicated every day.

A

It does, it does. They're not making it easy for the folks on the defenders of the enterprise side. So I do want to shift more into the AI conversation again. I know we were chatting a little bit about Cloud there, but a lot of criticism around some of these AI regulations, like the EU AI act that I mentioned earlier, is that it's kind of a break on innovation. Right. So from your vantage point, how can strong privacy and data governance be policies really accelerate Agent Tech AI deployment rather than just slow it all down?

B

Yeah, I think it's always good to think about analogies here because this is the key question, right? I mean, it's like if I do good governance, am I going to inhibit my innovation? And that's a compromise we have to break. We have to get out of that mindset. We have to Govern well and move fast. It's not or it has to be an and. And if the governance organizations cannot do that, they will fail, right? So this is like the new world is both these things need to happen. And the example that I like, the analogy that I like is software development, right? So every single software development team anywhere in the world, there's a couple of things that they truly understand. It doesn't matter where they operate. One is that the sooner you find a bug, the cheaper it is to fix. If your engineer who wrote the code finds a bug cheap to fix, none of your customers are impacted. No impact on the business, the engineer misses it and the quality assurance department finds it a little bit more expensive to fix, right? And then got to send the code back to the engineer and you know, maybe it has other dependencies and so forth, but I'm still okay. No customer has been impacted. If that error makes it into market. Now I got a problem because now customers are being hurt. Very expensive to fix. Reputational damage, potentially business damage. AI is the same way. Once I have an AI system trained and built, if I have built that system with inadequate guardrails, inadequate security, inadequate privacy, that it's only a matter of time before it causes harm, right? And then I can't. Then I got one of two options. Either I can continue to cause harm, not going to work bad for my business, or I got to roll the whole thing back, which means my competitors have a two year lead on me. So you got to build this stuff from day one. This notion of privacy by design has existed a long time, but it's very relevant for AI because you can't retrofit privacy onto an AI system that's already built. Let's say that's a system that is determining medical procedures or making decisions about employment like hiring or making law enforcement decisions or deciding whether or not you get a loan. These systems, especially in an AI world that scales will start making decisions really, really quickly. And if you haven't thought about safety and privacy in advance and built it in the system, then you haven't really gotten understanding of your risk and inevitably you will not be able to sustain the long term value of that operation. So I always think about responsible AI as a principle as not something that is there to just because it's good for ethical reasons. It is, but it's actually good for business reasons because it allows you to sustain the ROI of AI. So now your question around regulations. Well, the challenge with AI regulations right now is they're kind of all over the map, right? Some exist, some don't. You know, there's always kind of, you know, confusion around what's going to happen, when and so forth. But we need to think of AI risk as not just compliance risk, but operational and business risk. So what I always tell our customers is you got to think about a regulation agnostic approach to AI governance. You got to look at your business and figure out what the risks are that are most important to your business. And if your AI systems went wrong, how could they harm the business? Those are the risks you look at. And then absolutely, as regulation emerges, you make sure that if there's any tweaks you have to do to abide by the regulation, that you do that. But chances are the regulation is going to evolve in that same same direction. So when regulation will slow you down is if you look at regulation as a gatekeeper at the end of the process. If you look at regulation as a set of guidelines that you should design into your product from day one, then it's actually going to speed you up over time because you're not going to have to go back and retrofit work that you've already done. So that's a real mindset shift, right? It's not really about the regs and it's about what are the policies I need to have to ensure my AI systems are responsible, meaning they're safe, they give me great business outcomes and I can maintain their value over the, over the long run, right?

A

Absolutely. So what are two or three actionable steps that you would like to see organizations take today to improve their AI governance strategy from a data privacy and governance perspective?

B

First thing, you gotta become literate in AI, right? Organizational literacy around AI is absolutely fundamental. If you're responsible for governing AI, you gotta use AI, you gotta understand AI. You don't need to be a data scientist, but you have to be credible talking to a data scientist. So that means people in traditional governance privacy risk roles, which many times are not technical roles, sometimes there, but many times they're not. There's a learning curve, right? So I always, I always tell folks that this is part of, you know, kind of job qualifications moving forward. Gotta understand, yeah, you gotta use it in your personal life, you gotta use it in your professional life, you gotta follow it, you gotta understand it. You don't need to understand how the models work, but you gotta understand the inputs and the outputs. So that's, number one, organizational literacy, otherwise nothing else happens. Number two is you just have to come to grips with the fact that AI is ubiquitous. It's not this discrete thing. Every line of code that you have in your company, every data set that you use, every business process you have in the next three years is going to be touched deeply by AI if it hasn't been already. That means there isn't any part of your organization that doesn't have AI in it. So now suddenly, if you're responsible for figuring out risk, that feels overwhelming, right? But if you go in with the concept that it's ubiquitous and that you need appropriate prioritization framework to figure out where to focus first and last, then you'll have the starting point to success. Without that mindset and without, you know, having a system to prioritize where you focus your efforts, you're going to fail, you're going to be overwhelmed. And so the practical implication of that is that you should think about what do you fast path where you just spend minor, you know, minor oversight. And then where are the AI initiatives that either touch very sensitive data and could go therefore horribly wrong or are fundamental to your business model and spend 90% of your time on that? So organizational literacy, the acceptance that AI is ubiquitous and, and the creation of a prioritization framework are three really good starting points for an organization, right?

A

Absolutely. I could not agree more. Well, I'll just thank you so much for spending some time with us today. I think this is a really valuable episode for our listeners who are tuning in. Is there anything else that you'd like to leave them with as we're kind of wrapping up here?

B

Well, I think, you know, this is a inflection point. I mean, there's a lot of things that people call inflection points. But I do believe we're at a critical juncture in the way that machines and humans interact. And the world forward, you know, moving forward is going to be different than the world of the past and it's. And we can't predict what those changes are. So I would encourage everyone, just as a final point, to remember that our ability to tolerate ambiguity and to operate in a fast moving, ambiguous world may be more important now from a professional perspective perspective than it's ever been. Thanks. Thanks to AI and the pace of technology that it enables.

A

Absolutely wonderful. Well, thank you so much for joining us again and until next time, thank you.

B

Caleb, it's been great being here. Thanks for having me on.

A

That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, subscribe, wherever you listen and make sure. Leave us a review on either Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about. And if you email me directly about the show, send us an email at data-security-decoded2k.com thank you to Rubrik for sponsoring this podcast. The team at N2K includes senior producer Alice Carruth and Executive producer Jennifer Ibin. Content strategy by Mayan Plout Sound design by Elliot Peltzman Audio mixing by Elliot Peltzman and Trey Hester Video production support by Bridget, Kriki Wilde and Sorel Joppy. Until next time, stay resilient.