CrystalBall
Problem: Digital trust differential between organizations and individuals has created new challenge for the society. With almost every service being digitally enabled, individuals share their personal data to the service providers voluntarily or mandatorily. Personal data shared by individuals (through input forms, cookies, etc.) is percolated into the systems that are designed to benefit organizations in non-transparent manner. Individuals want data privacy by having control over their personal data to govern marketing, cross-selling, profiling, and tracking etc. However, organizations do not facilitate such consent driven data usage mechanisms leading to digital trust differential. This was recently exposed in case of Facebook when its 50 million users private data was exploited by Cambridge Analytica, a third party. In 2012 itself, we had this realization (that was confirmed by other industry surveys in 2015) that while preventive data masking controls were a must have for any organization, there was going to be a need for fair usage privacy controls that provided an individual granular control over her data even after it had been shared with an organization, helped establish transparency of organizational data usage, and in the process built trust with the individual. For the organization itself, awareness of its own data usage was going to be extremely useful when it came to the smart information lifecycle management, and its monetization. This triggered Human-centric privacy paradigm. It got more thrust because the same privacy goals are now echoed in the EU’s 2018 GDPR where fines for non-compliance are 4% of global company revenue / 20 million Euros. Other countries including India are also planning similar regulation for data protection.
Present Tense: Privacy is a challenge!
1) 67 % Organizations ask for too much personal information, & operations are not transparent (Ref: Rethinking Personal Data: A New Lens for Strengthening Trust Prepared in collaboration with A.T. Kearney May 2014)
2) 78 % Consumers do not trust organizations when it comes to use of personal data (Ref: The future of digital trust: A European study on the nature of consumer trust and personal data Feb 2014)
3) 80 % Consumers know that their personal data has value to businesses. (Ref: The future of digital trust A European study on the nature of consumer trust and personal data Sept 2014)
4) 86 % Young people are concerned about privacy of their personal data (Ref: Global Cyber Security Capacity Centre: A New Privacy Paradox: Young people and privacy on social network sites Feb 2014)
5) 90 % Consumers want control over their data possessed by organizations. (Ref: Customer Data: Designing for Transparency and Trust MAY 2015)
So the main root cause for this problem, is “Trust Differential” between data subject expectations and the actual usage of data by the given organization.
How is the above problem best solved today globally?
1) Process tweaks & prioritization: Organizations are prioritizing the remediation effort based on application criticality and legal guidance. They are remediating only a subset of applications that have high & medium impact. However, being done in ad-hoc fashion, they may be introducing changes in data collection and processing that make it unreliable.
2) Updating legal & privacy notices: Users will now have to read and understand privacy notices several times, and then give their consent to something that they do not really understand. Many organizations are flooding users with privacy consent notices, thus creating fatigue. Some are even trying to use visual tricks to avoid users from opting-out.
3) Awareness & training among employees: It is typically non-personalized, and not engaging, therefore, not sticky. So, its effectiveness is always questionable.
These solutions are ad-hoc and short-term fixes. A holistic, systematic and technology driven approach is a need of the hour.
The BIG Question: Can we create a Technovation that will empower individual and help achieve ‘My Data My Control’ dream ?
So, we decided to create a platform (Crystal Ball) which acts as an OBSERVER and ENFORCER between the services of the organization accessing customers’ data and the customer.
Solution Iteration - 1
To give users control over their own data inside organization systems, with a common platform to manage preference and show proof/logs of data access.
We first constructed a SMS-based application to send notification to user and seek users consent for use of users data.
As SMS based notification was not efficient and user feedback suggested us to go for mobile app way, hence in next iteration we developed an Android mobile app.
Solution Iteration - 2
FInal Iteration
To make sure the solution can be integrated with existing application web services developed which can be called within application.
Crystal Ball has two parts.
Part I is the “Intent Capture”. Here, organization publishes all different purposes, and for each purpose, what personal data it processes, purpose lifespan, etc. on a portal. And, individuals either through a mobile app, or registered email, or by logging onto the portal, provide their consent (yes/no) against each purpose or request for execution of some data rights.
Do you think this “Collect It, Store It and Forget It” approach is enough? Of course, NOT!
What about the enforcement of individual’s consent or data right in organizational data processing? However, Part-I is what largely our competition offers as a consent and data rights management solution!
Now, for Crystal Ball Part II, the “Live Enactment”. Here, our patented technology can intercept information flows in legacy systems, on-the-fly redact the personal data for any specific individual if she had wished so for the underlying purpose or context, and create audit trails/proof points for compliance. It can also execute operations on the stored data to meet individual’s data right request.
On top, we have also designed a recommender system for individuals to help manage their consents coherently, consistently in light of the consent fatigue. Btw, talking of the consent fatigue, a single LinkedIn asks us @70 different consents in post-GDPR era!
TCS patented technology enables organizations and end users to centrally manage entire personal data lifecycle using granular APIs (web services). The initial intent capture section helps organization internally map data-purpose-user uniquely throughout application stacks. The workflow driven purposes are shown to the end users for collecting consent in a presentable form, including cookies with option to revoke anytime. Once the consent is captured and stored on cloud/on premise, organization applications consults this preference centre automatically for each usage, creating an audit trail. The enforcement engine dynamically masks/unmasks required data for the given purpose based on the consent choices made by data subjects avoiding data exposure. The dashboard created using these logs gives instance visibility to the Data Protection Office to manage actions. The end users and organizations can manage their data related requirements till data gets deleted from the organization.
Challeges Overcome
1] Techno-Legal: Heterogeneous environments, discovery issues, groups working in silos, no SPOC drive, etc. created challenge with the onset of GDPR. With account teams support, we evolved Crystal Ball to address these hurdles
2] Enforcement: To create hooking points inside existing systems of the enterprise to observe the data flows & enforce individual’s preferences. We used web service based design that made it easy to integrate with existing enterprise systems
3] Visibility: DPO needs to monitor overall consent orchestration. We developed a complete dashboard with underlying workflows, granular logging, consent lineage etc.
4] Min Information Disclosure: Limit data exposure to the enterprise user. We developed dynamic data masking & un-masking tech that works on-the-fly without any changes to backend.
Uniqueness of our technology
Our vision is to empower individuals to realize ‘My Data, My Control’ dream, and not simply meet here and now compliance goals. As part of this, we have come up with new class of Fair Usage Privacy Controls - Crystal Ball.
1. Going beyond mere compliance: Crystal ball helps in the enactment of foundational data privacy principles by providing personal data control to the user, thus increasing trust & accountability in the enterprise applications.
2. Purpose drive data sharing: Unique and patented capability to do dynamic data masking and unmasking based on purpose.
3. Just-in-Time consent feature: Also Crystal ball real time consent feature can lead to innovations in the consent driven data sharing space.
4. Holistic privacy management: The ability to integrate with TCS MasterCraft data plus product will strengthen the overall all TCS privacy offering.
5. Monetization: Fine-grained awareness about data usage creates possibilities for data monetization by both data owner & consumers.
Publications
1) Challenges in enabling privacy self management, Kumar Vidhani, Vijayanand Banahatti, & Sachin Lodha. CSI Transactions on ICT 9, 185–191 (2021).
2) Consent Recommender System: A Case Study on LinkedIn Settings. Rosni K V, Manish Shukla, Vijayanand Banahatti, Sachin Lodha. PAL: Privacy-Enhancing Artificial Intelligence and Language Technologies (PAL2019)
3) TCS Crystal Ball, FTC Government (2016)
Patents
1) Data Privacy Management. US Patent Grant No. 9928381 (Pending in Europe and India)
2) Method and System for Generating Consent Recommendation 201821040563 (Pending)
3) System & Method for Enabling Data Privacy Using Cookie Based Consent 201821038135 (Pending)
4) Method and System for Privacy Policy Management. 201721017374 (Pending)
5) Method and System for Implementing Compliance Management for Enterprise Resources. 201721019469 (Pending)
Appreciation
2) TCS Recognized as a Leader in GDPR Services by NelsonHall (2018) Press Release
3) Finalist in TCS Bank of the Future competition (January 2015)
4) Selected to showcase in TCS Innovation Forum event, New York, USA (April 2015)
TCS Product based Solution
TCS Cybersecurity Service Solution to Operationalize and automate data privacy compliance requirements
----------------------------------------------------
Team size: (min-max): 2-5
Technology: JAVA/J2EE, JavaScript, Android
My Role: Team Lead
My Contribution: Initial idea, Brainstorming, Product Design, Presentation to customers, Consulting, Solution creation, Team coordination.
----------------------------------------------------
Team size: (min-max): 2-5
Technology: JAVA/J2EE, JavaScript, Android
My Role: Team Lead
My Contribution: Initial idea, Brainstorming, Product Design, Presentation to customers, Consulting, Solution creation, Team coordination.
----------------------------------------------------
