It is often asked, “How can we protect the privacy of our customers’ personal data while leveraging that data via AI and analytics?” This question reflects a growing internal dilemma as companies pursue advanced analytics and artificial intelligence. The troves of data produced by customers’ increasingly digital lives can be a rich source of insight for organizations using advanced analytics tools. At the same time, this deep data is a profound concern to IT staff committed to meeting regulatory agencies’ and consumers’ expectations around data privacy.
Both objectives are important, but meeting them simultaneously requires confronting an inherent conflict. Increasing data privacy in the context of analytics and AI often involves using techniques that can reduce the utility of the data, depending on the task and the privacy preservation technique chosen. An increasing number of organizations will face this issue as the fields of analytics and AI continue to evolve quickly.
This leads to the widespread availability of various tools and techniques (including turnkey and cloud-based services) that enable organizations to utilize data more efficiently than ever. Meanwhile, customers have increasing expectations that companies will take all necessary precautions to protect the privacy of their personal data, especially in light of reports of large-scale data breaches covered by mainstream media outlets. Global regulations on personal data back these expectations and AI that make it critical for companies to keep personal data protection practices in compliance.
Balancing privacy with AI analytics
Fundamentally, data privacy is about assessing the probability that one or more attributes, or pieces of information, about an individual whose data has been anonymized and included with others in a data set can be used to re-identify that specific individual. Some attributes are obvious: direct identifiers such as names and Social Security numbers enable almost immediate identification.
Quasi-identifiers do not generally enable the identification of a single individual on their own, but their uniqueness or combination with other attributes may do so. For example, the combination of a person’s age and their address may enable their re-identification. Consider a data set held by a bank’s fraud alert team on customers’ card transactions.
That data set contains both direct identifiers (such as the customer’s name) and quasi-identifiers (such as credit card transaction information). Gregory Vial is an associate professor in the Department of Information Technologies at HEC Montréal. Julien Crowe is senior director of artificial intelligence at the National Bank of Canada.
Patrick Mesana is a doctoral candidate in the Department of Decision Sciences at HEC Montréal.
