Get ready for an eye-opening conversation with Sanjay Saini, the founder and CEO of Privaini, a groundbreaking privacy tech company. Sanjay's journey is not only impressive due to his role in creating high-performance teams that have built entirely new product categories, but also for the invaluable lessons he learned from his grandfather about the pillars of successful companies - trust and human connections. In our discussion, Sanjay shares how Privaini is raising the privacy bar by constructing the world's largest repository of company privacy policies and practices. It's a fascinating dive into the future of privacy risk management.
Imagine being able to gain full coverage of your external privacy risks with continuous monitoring. Wouldn't that revolutionize your approach to risk management? That's exactly what Privaini is doing! Sanjay explains how Privaini utilizes AI to analyze, standardize, and derive meaningful "privacy views" and insights from vast volumes of publicly-available data. Listen in to understand how Privaini's innovative approach is helping companies gain visibility into their entire business network to make quicker, more informed decisions.
Topics Covered:
- What motivated Sanjay to found companies that bring trusted systems to market and why he founded Privaini to focus on continuous privacy risk monitoring
- How to quantitatively analyze & monitor privacy risk throughout an entire 'business network' and what Sanjay means by 'business network'
- Which stakeholders benefit from using the Privaini platform
- The benefits to calculating a "quantified privacy risk score" for each company in your business network to effectively monitor privacy risk
- How Privaini leverages AI to discover external data about companies' privacy posture and why it must be used in a responsible and deliberate way
- Why effective privacy risk monitoring of a company's business network requires an “outside-in” approach
- The importance of continuous monitoring & the benefits to using an 'outside-in' approach
- What it takes to set up an enterprise's network with Privaini for full coverage of external privacy risks
- The recent Criteo fines and how Privaini could have helped Criteo surface privacy risks about its vendors
- Why Sanjay believes learning about the “right side” of the equation is necessary in order to "shift privacy left."
Guest Info:
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.
Shifting Privacy Left Media
Where privacy engineers gather, share, & learn
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Copyright © 2022 - 2024 Principled LLC. All rights reserved.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sanjay Saini (00:01):
A company should look at the broader view of the
enterprise privacy riskmanagement because it is the
right thing to do.
It has a positive impact on thebottom line and it builds trust
.
It builds trust with otherbusinesses; it builds trust with
regulators; and, moreimportantly, your customers.
Debra J Farber (00:26):
Welcome everyone to Shifting Privacy Left.
I'm your host and residentprivacy guru, Debra J Farber.
Today, I'm delighted to welcomemy next guest, Sanjay Saini,
founder and CEO of Privaini, aprivacy tech company that
provides privacy risk monitoringto enterprises.
Privaini provides visibilityinto privacy risk and actionable
(00:48):
insights to enterprises with afact-based, systematic approach
to mitigate reputation and legalrisk for data privacy in their
business network.
Proveni boasts the largestrepository of company privacy
policies and practices.
Each policy is categorized,analyzed and continuously
monitored.
The product is designed for CPO, DPO, risk and compliance
(01:12):
officers, vendor management,groups, insurers and teams that
focus on data privacy riskmanagement.
I also want to disclose that Irecently joined Privaini's
Advisory Board and I'm excitedby what Sanjay and team are
bringing to market.
Now I want to tell you a littlebit more about Sanjay, because
he's an impressive serialentrepreneur and strategic
(01:33):
leader.
He's led high-performance teamsthat built entirely new product
categories.
Examples include (01:38):
developing the number one crisis
communication system for federalgovernment called AtHoc; the
first nationwide location systemwith Polaris Wireless; the
first worldwide payment gatewaywith Kibira; and the first
real-time mobile provisioningsystem; and the first IT
(02:01):
governance platform with Kintana.
In fact, Privaini is Sanjay'sfifth startup.
Welcome, Sanjay.
Hi, great to be here.
So, Sanjay, tell us a littlebit more about your background.
What motivated you to foundcompanies that bring trusted
systems to market?
Sanjay Saini (02:19):
Thank you, Debra.
Before I start into it, I wantto share two lessons that I
learned from my grandfatherearly on in my life, and I
firmly believe in these.
First of all, people dobusiness with people, not
companies.
And secondly, long-termsuccessful companies run on
trust.
These two principles haveguided me throughout my career
(02:41):
and continue to hold true today.
I've been fortunate to be partof many successful companies
that have changed the waybusiness is done.
One of my earliest experienceswas at Kintana, under the
leadership of Raj Jain, where wecoined the phrase "IT
components.
" This was even before the eraof Sarbane's- Oxley, and we led
(03:03):
the foundation for the companiesto manage their IT portfolio
efficiently, especially when itcame to regulatory compliance
and IT controls and buildingtrust in companies' financials.
After that, I ventured into theFinTech world, where we built
the world's first real-timepayment gateway with
(03:23):
unparalleled availability andtrust that our card transactions
will go through no matter what.
This system has been runningsince 2005 without a single
second of downtime, which is, Ibelieve, quite remarkable.
And, I had a privilege ofworking on the first real-time
mobile provisioning system inthe telco industry.
(03:45):
And in my last venture, wedeveloped the number one crisis
communication and emergencymanagement system, which is
widely used by the federalgovernment and various large
companies to save lives.
I've always found myself drawnto complex technical problems in
business networks withregulatory compliance
(04:06):
obligations.
The products so far that I'vebeen part of have always had one
common thread (04:11):
they focus on fostering trust, whether it's
between two businesses or withthe end users.
There's a sense of purpose incontributing in integrity and
reliability of these systems.
Now, privacy has become aparamount concern in our rapidly
evolving digital world.
To tackle the intricacies andimportance of data privacy and
(04:33):
trust, I'm collaborating withexceptional privacy leaders,
former regulators and industrychampions.
Tom Kemp, a good friend,investor and advisor, is one of
the privacy leaders, privacypolicy authors, and now he's
taking on big data companies andhe is part of our Privaini
family.
A former FTC Chairperson(Maureen Ohlhausen O is an
(04:55):
Advisor to us who helps solvethis complex privacy risk
management problem.
Together, we are committed tofinding an innovative solution
to the challenges that arise inthis space, and our collective
mission is to safeguardindividual privacy rights while
ensuring companies can operateresponsibly in the data-driven
(05:16):
landscape.
Debra J Farber (05:16):
I mean, it's just all so important and I'm so
glad you're focused on it.
But I'm so curious, whatmotivated you to found Privaini?
You could have started anynumber of companies right now.
What is it about privacy riskmonitoring that motivated you to
tackle this challenge inparticular?
Sanjay Saini (05:35):
Well, it all started with a letter from a
major credit card companywarning of a potential personal
information breach from one ofits business partners.
I'm sure, like many of us, I'vehad seen such notices before
and often ignored them, assumingthat the companies that we
trust to handle our data wouldhave it under control.
However, these privacy noticesjust kept pouring in from
(06:00):
various companies from which Ihave been buying and different
products and services andtrusted them to manage my own
privacy and my own personalinformation.
I realized that even theselarge companies struggled to
effectively manage the privacyrisks across their business
network.
So I got curious and after thatI spoke to maybe over 50
(06:22):
executives and a common themeemerged that the challenge was
simply too complex for anysingle company to handle privacy
risks across their entirebusiness networks.
Most companies were usingoutdated methods, managing
privacy risk through cumbersomespreadsheet and annual
(06:42):
questionnaires.
Shockingly, only about 8 to 10%of their business network
partners were manually reviewed,leaving the vast majority
unchecked and definitely notmonitored.
Very reactive approach, I willsay.
It became evident that this wasa pressing B2B issue, especially
for companies with complexbusiness networks and strict
(07:06):
regulatory compliancerequirements.
Understanding privacy risk,Debra, for one company itself is
very hard, let alone for anentire business network.
Beyond the financialimplications, the privacy issues
pose significant threat to acompany's brand and the trucks
that they share with customers.
So during my interviews withthese executives, I posed a very
(07:29):
simple question what if therewas a service that could
magically enable you tounderstand your exposure to
privacy risk across your entirebusiness network?
The response was justoverwhelmingly positive.
This revelation led to Privaini, a platform which is designed
(07:50):
to empower companies toquantitatively analyze and
monitor privacy risk throughouttheir entire business network.
Debra J Farber (08:00):
And, so you keep saying "business network.
Could we unpack what that meansfor the audience?
What do you mean by businessnetwork?
Sanjay Saini (08:08):
Business network is any company that a company
will do business with.
It could be partners.
It could be business associates, vendors, your technology
providers or even a largecustomer.
Think of anyone with whom acompany shares data or receives
data from.
(08:29):
That is what a business networkis.
Debra J Farber (08:32):
Thank you.
Okay, that's super helpful.
So, let's dive in.
What exactly is Privaini?
Could you give us a little bitof an overview of the platform?
Sanjay Saini (08:41):
Happy to so.
Privaini is, like I said, is aplatform for companies to
effectively manage privacy riskarising from their entire
business network.
So, just to give you an idea,an average company has thousands
of network - thousands of othercompanies that they do business
(09:02):
with in their business network.
So what we did, we created astandardized "privacy view for
any company from externallyavailable information.
They bring together privacydata, corporate information,
regulatory information,compliance impact, and the
(09:22):
security data for any company,all of it in one place.
Now what we do after that is westart building a privacy profile
and the privacy risk posturefor any company, and then we
extend this analysis to covereveryone that a company engages
within its business network.
(09:43):
Like I was saying earlier, itcould include partners, business
associates, vendors, anyonethat the company is doing
business with or sharinginformation or receiving
information.
One of the interesting aspectsof Privaini is that we operate
on externally observableinformation.
This means that a companydoesn't need to request
(10:04):
sensitive data or rely on biasedquestionnaire or annual updates
.
Instead, the enterprise privacyrisk is just continuously
monitored and we providereal-time insights to the
companies.
With Privaini now, the largeenterprises which didn't have a
similar solution can nowconfidently gain insights from
(10:25):
the privacy views that we havecreated, and this is rooted on
objective data, free from anykind of asymmetric information
bias that could be happeningthrough questionnaires or other
mechanisms.
Debra J Farber (10:39):
Well, that's so interesting because most of the
companies out there have been sofocused on where's the personal
data within their ownenvironments and how could they
better have governance for theirpersonal data, and they're so
focused on that that they justhaven't even had the time or
resources to look from an"outside- in perspective.
(11:00):
So I definitely feel like thisis novel and really useful.
Who are the stakeholders thatwould be the users of Privaini?
Who did you design Privaini for?
Sanjay Saini (11:13):
We design products for privacy and risk
practitioners.
It could be Chief PrivacyOfficers, Data Privacy Officers,
but, more importantly, risk andcompliance teams.
In essence, privacy serves as avigilant watchdog, identifying
any privacy-related issues thatmay arise due to a change in a
(11:35):
company's privacy posture.
The change could be very simple, such as an updated privacy
notice or extremely complexthings, such as a new regulatory
requirement coming in or a lawwhich is coming into effect.
In addition to that, we alsopick up and highlight any
regulatory action or securityevent that we have happened for
(11:58):
a company, and we also track anychanges in the tracking
technologies used by a company.
So, then, the privacy teams,with all this information, can
efficiently pinpoint the networkmembers within their business
network that introducedisproportionate risk to them.
Moreover, they can uncoverdiscrepancy between the privacy
(12:23):
standards that they expect thebusiness network members to
adhere with.
Let me show you some real-lifeexamples of how different
stakeholders have so far usedour products.
We detected that a customer wasunknowingly using tracking
technologies that did not complywith very specific USA
(12:43):
regulations.
Another customer thought theyhad implemented privacy
implementation platforms.
The tracking technologydiffered compared to what they
had officially stated, creatinga difference between disclosure
versus discovery.
One of our customers uncovereda massive potential data leak in
(13:08):
their payroll services provider(which could potentially be
impacting thousands ofemployees' personal information)
.
Another customer highlightedthat their pricing strategy may
not be compliant with the "rightto non-discrimination when a
consumer exercises their privacyrights.
Another company found thatthere was a list of business
(13:30):
partners who were not compliantwith CCPA; hence, they would not
have been able to fulfill theflow-down requirement if the
company was asked to respond tocertain consumer regulations.
All these examples illustratethe power that Privaini brings,
(13:52):
uncovering the privacy-relatedinsights which most likely would
have gone unnoticed.
And all of these things thatyou see came from the business
network of the company.
We do it in a very systematicway.
We quantify.
We create "privacy risk scoresfor a company.
It's like an apple-to-applecomparison and extremely
(14:14):
systematic the way we go aboutit.
Debra J Farber (14:17):
That's really fascinating this idea of a
"quantified privacy risk score.
What do you see as the benefitsof calculating that?
I mean, I've already just saidsome of it is to benchmark
across different companies.
Are there other benefits?
Can you speak a little moreabout this privacy risk score?
Sanjay Saini (14:37):
Yeah, there are a lot of scores out there and one
need to understand why a privacyscore is important.
Understanding privacy risk andits exposure is very hard.
The diversity in requirementsmakes it very, very difficult to
understand the privacy risk.
(14:57):
Certain privacy practices maybe perfectly acceptable in one
scenario, but will raise concernin others.
Let me give you some examples.
Let's say a bank is collectingsocial security number for its
operations or fraud protection.
It's completely legitimate andthey should do that, but if the
same is being captured by anairline, that raises red flags.
(15:21):
Why will an airline have asocial security number?
Similarly, if an airline has astate-issued ID information,
such as my passport information,that's perfectly fine, because
when I take a flight, theyprobably need my passport
information.
But, this is an issue if aretailer or a data broker has
such sensitive data available.
(15:42):
So, depending on what industryand what company is using this
information form, it's importantto put all of these together in
a uniform framework.
A uniform approach empowers thecompanies to now start making
comparisons across theirbusiness network members,
(16:04):
enabling them to figure out whyone member might pose a greater
privacy risk compared to others.
So, in a way, thisstandardization and creation of
a privacy score becomes a verycritical tool for a company to
protect both their customer dataand their own reputation as
(16:24):
well.
And, today computation and AItechniques are available to
create such kind ofcomprehensive methods and
uniform approaches for companies.
Debra J Farber (16:36):
That's really helpful.
I'm sure there are somelisteners who want to know more,
like what goes into the privacyscore and how do you weight
different data, and obviouslywithout a demo and all that,
it's going to be really hard to,I think, probably to better
understand it.
But, do you have anything tospeak to that at a high level,
(16:56):
of how you go about creating ascore that makes sense and
appropriate weighting?
Sanjay Saini (17:02):
So of course, we use a lot of algorithms and AI
techniques to create such ascore.
In essence, we take data aboutprivacy information.
It could be as simple as what acompany has declared in its
notices, terms of use, what's ontheir website, and then we
(17:26):
match that against hundreds ofdata sources that are available
to us.
It could be corporateinformation, legal databases,
regulatory information and thenwe take things about the
security events about a companyand we analyze the heck of it.
And then, of course, we havecreated our own algorithms where
(17:48):
we benchmark such informationand at the end of the day, we
come up with a privacy score.
It's a way more complicatedthing than I just described in
one sentence, but hopefully itgives you a sense of where we
come up with such a privacyscore.
It's a composite score.
Think of it as amulti-dimensional way of
evaluating the privacy postureand privacy profile of a company
(18:11):
.
Debra J Farber (18:12):
Yeah, I love it.
I think it's super helpful forjust contextualizing, like, how
does one company compare againstanother company, or how are the
companies in your networkcompare against each other, or
your baselines of what you wouldallow for such risk.
I mean definitely reallyexciting technology.
So, you mentioned that you useAI to discover external data.
(18:34):
Can you talk a little bit moreabout how Privaini does that?
Sanjay Saini (18:38):
Well, you know, in recent times, AI has been
making headlines for many, manyreasons, and it evokes some mix
of different emotions, you know.
Some people are excited aboutits potential and opportunities
for innovation, and others areconcerned about job displacement
(18:59):
and privacy issues.
So, we at Privaini, we think ofit as a very good tool to get
to what we want it to do, and wehave taken a very deliberate
approach.
We harness the power of AI in avery responsible way.
We employ AI to analyze thevast volume of corporate data.
(19:22):
I'm talking about very, verylarge data sources, which
otherwise would not have beenpossible.
And, these specifically excludeeven any sense of any personal
information when we do ouranalysis because what we are
trying to figure out is theprivacy impact on a company,
(19:46):
about everything that is relatedand available about that
company.
The way we go about it, itallows us to create meaningful
privacy insights.
Now, one of the remarkableaspects of AI is its ability to
just process and extractinformation from unstructured
(20:07):
data and coming from different,diverse sources, and do it at
scale, because what we neededwas to do all of this analysis
at scale.
And throughout our AI-drivenapproach, once we have done this
analysis, we now standardizethis information.
And once the information isstandardized, then we can now
(20:31):
create other things, such as theprivacy risk score that I was
talking about.
You can compare privacyprofiles and privacy postures of
two companies and makemeaningful decisions out of it.
So, we think the use of AI isvery exciting and it's very
powerful.
That's how we think of it, butit has to be done in a
meaningful and a deliberate wayand, like I call it as the
(20:54):
responsible use of AI.
Debra J Farber (20:56):
Yeah, that makes a lot of sense to me.
So, as I mentioned before, oneof the great benefits of
Privaini seems to be its abilityto continuously monitor for
privacy risks with this "outsidein approach," and I'd love for
you to speak more to theimportance of this monitoring
(21:17):
posture and the benefits tousing an outside- in approach.
Sanjay Saini (21:20):
So, before I do that.
Let me just share what isavailable today.
Let's say this traditional riskmanagement approach, which is
adopted by most companies, itfocuses on managing risk within
their own boundaries, within theenterprise.
It's essential.
It's absolutely required, butit falls short of providing any
(21:43):
company protection againstprivacy risk.
And, I firmly believe thatrelying solely on the inside-
out approach, it creates a falsesense of security and
achievement for companies whenit comes to privacy risk.
Why?
Because more than two thirds ofprivacy impacting issues, they
(22:04):
arise from outside the company'sfirewall, from within its
business network.
Remember the privacy breachnotice from the credit card
company we were talking about.
That is a classical problemthat arises from the current
approach, which is inside- out.
So, what we did, we took arevolutionary approach.
(22:25):
We said we're going to gooutside- in.
We have taken an outside- inapproach where we examine
externally- available data fromvarious sources, and we use
cutting- edge technology andvery sophisticated algorithms to
create a "privacy risk profile.
The beauty of it is the "lawsof large numbers come into play.
(22:49):
And when I speak to executives,I normally share this that what
we are trying to tell ourbuyers and our users is we will
give you insights, so that way,you are roughly right and never
exactly wrong.
That's what we need to think ofit.
And in today's rapidly- changinglandscape - I think you all
(23:14):
know the famous saying thechange is the only constant -
regulations are being updated;business network members update
their practices; there aresecurity events happening;
regulatory events happening left, right and center.
It happens on a daily basis anda lot of them have direct
impact on privacy.
To navigate this changingenvironment, continuous
(23:36):
monitoring is an absoluterequirement.
It's not a nice to have.
It's absolutely needed becauseyou could have analyzed a
company today and if somethinghappens a week from now, unless
you're monitoring it, you willmiss that 'til the next annual
questionnaire comes into play.
The key reason of continuousmonitoring is that when you
(23:58):
identify a business associate(which may have a potential
privacy- impacting issue or theymay not be complying with what
you had mutually agreed upon)you have to make a decision.
You don't want to wait for thenext annual questionnaire to be
filled in before you want tomake a decision.
(24:19):
You may choose to ship yourtraffic, your business traffic,
from them or take action interms of your mitigation
strategy to preserve your owndata and your own consumer data.
And this can be only done withmonitoring.
Staying ahead with monitoringis the name of the game, and I
(24:42):
believe it's required now formost certifications and it's
becoming part of legalrequirements as well.
So, that's why taking anoutside-in approach and
continuous monitoring isextremely important for
companies to think when theythink of their privacy and its
posture.
Debra J Farber (25:00):
Yeah, that seems to make a lot of sense to me.
It's just, we need to focusmore beyond our internal risk,
and I think it's really excitingto see something like Privaini
that is providing the capabilityto look at the larger risks
across your entire businessnetwork.
I think it's just incrediblyexciting.
So, thanks for kind giving us alittle more info about that.
(25:23):
I am curious though, what doesit take to set up an enterprise
network with Privaini for fullcoverage of external privacy
risks, because, yeah, it's notso clear as to what you might
need to know about anorganization in order to set
this up, so I'd love to hear alittle more.
Sanjay Saini (25:40):
Yeah, I mean traditionally.
If you were to ask anyexecutive, they will say it's
impossible to do it because theyhave thousands, if not tens of
thousands, of other businessesthat they interact with and the
traditional methods ofquestionnaire etc.
are just too time consuming andinefficient.
When I was doing my interviews,it turns out that most
(26:02):
companies, although theyallocate significant amount of
resources to assess privacy risk, they only cover 8% to 10% of
their business network.
The reason is not because theydon't want to do it.
The reason is that it's just toocumbersome today and the
current methods don't scalebecause it relies on manual
(26:22):
questionnaires coming in.
Even if your entire businessnetwork sends the information
back to you, who's going to readit and who's going to take
action on it?
Nobody does.
That for issue.
So, when we started Privaini,we recognize the importance of
creating an effective enterprisenetwork- wide coverage.
(26:46):
So, we designed a veryfrictionless approach to make
sure that there is a fullcoverage for a company's entire
business network.
Remember, we are taking anoutside-in approach, so our
customers do not need to asktheir business network members
to provide anything.
All they need to do is provideus the list of companies that
(27:09):
they do business with.
Could be anyone (27:10):
your suppliers , vendors, business partners,
even your large customers, etc.
It doesn't matter how long thelist is.
They just tell us the names ofthose companies and we take care
of the rest of the stuff.
We just basically go and createa risk profile for each one of
them.
In fact, we have thousands ofsuch companies already in our
library, so we just basicallyreuse it.
(27:32):
This way, our customers get100% of coverage and the
implementation is extremelyrapid.
It's almost like magic.
In fact, one of the executives,they've told me, " seems like
magic.
Then, when you think of it, itis very rapid and it works very
well.
Debra J Farber (27:52):
Amazing, amazing .
So, there's so much here.
I know you've shown me a littlebehind the scenes of just what
your reporting looks like forany company that you scan, and
it's just got thousands of themalready in your system.
I think you even say you havethe largest repository of
privacy notices that you'veanalyzed.
Sanjay Saini (28:11):
We believe we are the largest repository of the
information that is put together.
That means privacy information,their complete corporate
information, where they areregistered to do business, where
they are not registered to dobusiness, any kind of regulatory
database impact on them, andincluding cybersecurity events.
(28:32):
All of these together, when youput this profile together, we
believe we are the largestrepository which brings all this
information in one place.
Debra J Farber (28:46):
That's pretty impressive.
So, recently, there have been afew things that have come to
our attention that Privainicould have really helped with.
One of those is the Criteo case.
I'd love for you to talk aboutwhat that case found, what some
of the major fines were and howa platform like Privaini would
have surfaced privacy risks.
Sanjay Saini (29:07):
You're absolutely right, Debra, that major fines
have now become norm today,because what's happening here is
3, 4, 5 years ago, regulatorswere just writing the laws.
Now they are enforcing the laws.
The companies, unfortunately,are not ready for it yet.
These fines, it looks like theyare happening on a weekly basis
(29:30):
.
I can't imagine a week where wedon't read that they are
multimillion dollar fines, whichare imposed because of privacy
risks, essentially.
And, these multimillion dollarfines are now constant reminders
of the seriousness of thisissue.
The example that you mentioned,which is a Criteo example, just
(29:53):
to give you some background onit, this happened recently in
June itself.
A 40 million euro fine wasimposed by the French regulators
, CNIL, on Criteo, a Frenchcompany, which, by the way, are
rare.
There are not too manyinstances where a French
regulator had imposed a fine ona French company.
The regulators identifiednumerous issues with Criteo's
(30:16):
privacy postures, saying thatwhat Criteo was saying was not
correct practices.
But, more importantly, the datathat Criteo was processing on
behalf of its customers wastainted.
As the customers which actuallysent them (and this is a B2B
(30:37):
company, so this is not an endconsumer) the customers which
sent Criteo the information toprocess and do what they asked
them to do, they lacked theappropriate consent mechanism.
And, as a result, now Criteowas held responsible for the
privacy exposure it caused andharms to the end consumer,
(30:57):
essentially.
Now, the reason why I'mhighlighting this is this is not
just a situation of adownstream provider creating an
issue.
This is an upstream providerwhich created an issue for
Criteo.
And this underscores thesignificance of how and why a
(31:20):
robust platform is needed toeffectively manage privacy risk
across the entire businessnetwork.
I don't think managing theprivacy risk across business
networks is just a nice- to-have.
It's a much- requiredcapability, which every company
should have.
And, I'll pause there becausethe key thing which I want to
(31:44):
say here is this is not just anice- to- have element.
A company should look at thebroader view of the enterprise
privacy risk management becauseit is the right thing to do; it
has a positive impact on thebottom line and it builds trust.
It builds trust with otherbusinesses; it builds trust with
(32:08):
regulators; and, moreimportantly, your customers.
So, that's what we have beendoing and that's what I'm super
excited about this space.
Debra J Farber (32:18):
This is amazing.
I honestly think that theenvironments are ready for a
solution like this.
I think that the both privacyand security teams are
overburdened as it is trying tokeep their programs running, and
that something like Privainican really do a lot of heavy
lifting and surfacing insightsthat would help them make
(32:39):
business decisions aroundprivacy and security and should
you still use and work with aparticular vendor or partner or
anybody else in your businessnetwork.
So, gosh, this is like reallyexciting stuff and I really
appreciate you being here today.
If people want to learn moreand reach out to you, how can
(33:00):
they go about doing that?
Sanjay Saini (33:01):
You are welcome to come to our website, privaini.
com, which is P-R-I-V-A-I-N-I.
com, and I will even say in thesimple form, fill it in and we
will provide you an introductoryprivacy assessment report of
your company and then we cantake it from there.
We can have a follow upconversation and show you the
(33:23):
demo of the product and all thecool stuff that we have been
building.
Debra J Farber (33:26):
Excellent, and is there anything else you'd
like to leave our audience withtoday?
Any takeaways or a mantra thatyou live by, or anything?
Sanjay Saini (33:34):
I will say - the one thing which I will say is
that privacy and trust are anextremely important thing that
I'm not saying for the sake ofit.
I truly believe in it.
The second thing which I willsay is that I know I'm on a
privacy shift left profile, butwhat I will say is, for privacy
technical team members, at timesyou have to understand what is
(33:57):
on the right side of theequation before you shift left.
So, think through why in yourenvironment, for your company
and, more importantly, for theentire business network that
your company deals with, andthen how you can help them for
the enterprise- wide privacylist management.
(34:18):
That's where I will pause here,and then, although I did say
that it's a complex problem, butit's also a very exciting
opportunity, and then I'm trulyhappy that I'm collaborating
with leaders from all spaces tobring a solution which will be
useful worldwide.
Debra J Farber (34:34):
Excellent.
Well, Sanjay, thank you so muchfor joining us today on
Shifting Privacy Left to discussPrivaini and its outside- in
privacy risk monitoringcapabilities for entire business
networks.
Until next Tuesday, everyone,when we'll be back with engaging
content and another great guest.
Sanjay Saini (34:52):
Thank you, Debra.
Debra J Farber (34:56):
Thanks for joining us this week on Shifting
Privacy Left.
Make sure to visit our website,shiftingprivacyleft.
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it.
If you've found this episodevaluable, go ahead and share it
with a friend.
And, if you're an engineer whocares passionately about privacy
, check out Privado (35:15):
the developer friendly privacy
platform and sponsor of the show.
To learn more, go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
A company should look at the broader view of the
enterprise privacy riskmanagement because it is the
right thing to do.
It has a positive impact on thebottom line and it builds trust
.
It builds trust with otherbusinesses; it builds trust with
regulators; and, moreimportantly, your customers.
Debra J Farber (00:26):
Welcome everyone to Shifting Privacy Left.
I'm your host and residentprivacy guru, Debra J Farber.
Today, I'm delighted to welcomemy next guest, Sanjay Saini,
founder and CEO of Privaini, aprivacy tech company that
provides privacy risk monitoringto enterprises.
Privaini provides visibilityinto privacy risk and actionable
(00:48):
insights to enterprises with afact-based, systematic approach
to mitigate reputation and legalrisk for data privacy in their
business network.
Proveni boasts the largestrepository of company privacy
policies and practices.
Each policy is categorized,analyzed and continuously
monitored.
The product is designed for CPO, DPO, risk and compliance
(01:12):
officers, vendor management,groups, insurers and teams that
focus on data privacy riskmanagement.
I also want to disclose that Irecently joined Privaini's
Advisory Board and I'm excitedby what Sanjay and team are
bringing to market.
Now I want to tell you a littlebit more about Sanjay, because
he's an impressive serialentrepreneur and strategic
(01:33):
leader.
He's led high-performance teamsthat built entirely new product
categories.
Examples include (01:38):
developing the number one crisis
communication system for federalgovernment called AtHoc; the
first nationwide location systemwith Polaris Wireless; the
first worldwide payment gatewaywith Kibira; and the first
real-time mobile provisioningsystem; and the first IT
(02:01):
governance platform with Kintana.
In fact, Privaini is Sanjay'sfifth startup.
Welcome, Sanjay.
Hi, great to be here.
So, Sanjay, tell us a littlebit more about your background.
What motivated you to foundcompanies that bring trusted
systems to market?
Sanjay Saini (02:19):
Thank you, Debra.
Before I start into it, I wantto share two lessons that I
learned from my grandfatherearly on in my life, and I
firmly believe in these.
First of all, people dobusiness with people, not
companies.
And secondly, long-termsuccessful companies run on
trust.
These two principles haveguided me throughout my career
(02:41):
and continue to hold true today.
I've been fortunate to be partof many successful companies
that have changed the waybusiness is done.
One of my earliest experienceswas at Kintana, under the
leadership of Raj Jain, where wecoined the phrase "IT
components.
" This was even before the eraof Sarbane's- Oxley, and we led
(03:03):
the foundation for the companiesto manage their IT portfolio
efficiently, especially when itcame to regulatory compliance
and IT controls and buildingtrust in companies' financials.
After that, I ventured into theFinTech world, where we built
the world's first real-timepayment gateway with
(03:23):
unparalleled availability andtrust that our card transactions
will go through no matter what.
This system has been runningsince 2005 without a single
second of downtime, which is, Ibelieve, quite remarkable.
And, I had a privilege ofworking on the first real-time
mobile provisioning system inthe telco industry.
(03:45):
And in my last venture, wedeveloped the number one crisis
communication and emergencymanagement system, which is
widely used by the federalgovernment and various large
companies to save lives.
I've always found myself drawnto complex technical problems in
business networks withregulatory compliance
(04:06):
obligations.
The products so far that I'vebeen part of have always had one
common thread (04:11):
they focus on fostering trust, whether it's
between two businesses or withthe end users.
There's a sense of purpose incontributing in integrity and
reliability of these systems.
Now, privacy has become aparamount concern in our rapidly
evolving digital world.
To tackle the intricacies andimportance of data privacy and
(04:33):
trust, I'm collaborating withexceptional privacy leaders,
former regulators and industrychampions.
Tom Kemp, a good friend,investor and advisor, is one of
the privacy leaders, privacypolicy authors, and now he's
taking on big data companies andhe is part of our Privaini
family.
A former FTC Chairperson(Maureen Ohlhausen O is an
(04:55):
Advisor to us who helps solvethis complex privacy risk
management problem.
Together, we are committed tofinding an innovative solution
to the challenges that arise inthis space, and our collective
mission is to safeguardindividual privacy rights while
ensuring companies can operateresponsibly in the data-driven
(05:16):
landscape.
Debra J Farber (05:16):
I mean, it's just all so important and I'm so
glad you're focused on it.
But I'm so curious, whatmotivated you to found Privaini?
You could have started anynumber of companies right now.
What is it about privacy riskmonitoring that motivated you to
tackle this challenge inparticular?
Sanjay Saini (05:35):
Well, it all started with a letter from a
major credit card companywarning of a potential personal
information breach from one ofits business partners.
I'm sure, like many of us, I'vehad seen such notices before
and often ignored them, assumingthat the companies that we
trust to handle our data wouldhave it under control.
However, these privacy noticesjust kept pouring in from
(06:00):
various companies from which Ihave been buying and different
products and services andtrusted them to manage my own
privacy and my own personalinformation.
I realized that even theselarge companies struggled to
effectively manage the privacyrisks across their business
network.
So I got curious and after thatI spoke to maybe over 50
(06:22):
executives and a common themeemerged that the challenge was
simply too complex for anysingle company to handle privacy
risks across their entirebusiness networks.
Most companies were usingoutdated methods, managing
privacy risk through cumbersomespreadsheet and annual
(06:42):
questionnaires.
Shockingly, only about 8 to 10%of their business network
partners were manually reviewed,leaving the vast majority
unchecked and definitely notmonitored.
Very reactive approach, I willsay.
It became evident that this wasa pressing B2B issue, especially
for companies with complexbusiness networks and strict
(07:06):
regulatory compliancerequirements.
Understanding privacy risk,Debra, for one company itself is
very hard, let alone for anentire business network.
Beyond the financialimplications, the privacy issues
pose significant threat to acompany's brand and the trucks
that they share with customers.
So during my interviews withthese executives, I posed a very
(07:29):
simple question what if therewas a service that could
magically enable you tounderstand your exposure to
privacy risk across your entirebusiness network?
The response was justoverwhelmingly positive.
This revelation led to Privaini, a platform which is designed
(07:50):
to empower companies toquantitatively analyze and
monitor privacy risk throughouttheir entire business network.
Debra J Farber (08:00):
And, so you keep saying "business network.
Could we unpack what that meansfor the audience?
What do you mean by businessnetwork?
Sanjay Saini (08:08):
Business network is any company that a company
will do business with.
It could be partners.
It could be business associates, vendors, your technology
providers or even a largecustomer.
Think of anyone with whom acompany shares data or receives
data from.
(08:29):
That is what a business networkis.
Debra J Farber (08:32):
Thank you.
Okay, that's super helpful.
So, let's dive in.
What exactly is Privaini?
Could you give us a little bitof an overview of the platform?
Sanjay Saini (08:41):
Happy to so.
Privaini is, like I said, is aplatform for companies to
effectively manage privacy riskarising from their entire
business network.
So, just to give you an idea,an average company has thousands
of network - thousands of othercompanies that they do business
(09:02):
with in their business network.
So what we did, we created astandardized "privacy view for
any company from externallyavailable information.
They bring together privacydata, corporate information,
regulatory information,compliance impact, and the
(09:22):
security data for any company,all of it in one place.
Now what we do after that is westart building a privacy profile
and the privacy risk posturefor any company, and then we
extend this analysis to covereveryone that a company engages
within its business network.
(09:43):
Like I was saying earlier, itcould include partners, business
associates, vendors, anyonethat the company is doing
business with or sharinginformation or receiving
information.
One of the interesting aspectsof Privaini is that we operate
on externally observableinformation.
This means that a companydoesn't need to request
(10:04):
sensitive data or rely on biasedquestionnaire or annual updates
.
Instead, the enterprise privacyrisk is just continuously
monitored and we providereal-time insights to the
companies.
With Privaini now, the largeenterprises which didn't have a
similar solution can nowconfidently gain insights from
(10:25):
the privacy views that we havecreated, and this is rooted on
objective data, free from anykind of asymmetric information
bias that could be happeningthrough questionnaires or other
mechanisms.
Debra J Farber (10:39):
Well, that's so interesting because most of the
companies out there have been sofocused on where's the personal
data within their ownenvironments and how could they
better have governance for theirpersonal data, and they're so
focused on that that they justhaven't even had the time or
resources to look from an"outside- in perspective.
(11:00):
So I definitely feel like thisis novel and really useful.
Who are the stakeholders thatwould be the users of Privaini?
Who did you design Privaini for?
Sanjay Saini (11:13):
We design products for privacy and risk
practitioners.
It could be Chief PrivacyOfficers, Data Privacy Officers,
but, more importantly, risk andcompliance teams.
In essence, privacy serves as avigilant watchdog, identifying
any privacy-related issues thatmay arise due to a change in a
(11:35):
company's privacy posture.
The change could be very simple, such as an updated privacy
notice or extremely complexthings, such as a new regulatory
requirement coming in or a lawwhich is coming into effect.
In addition to that, we alsopick up and highlight any
regulatory action or securityevent that we have happened for
(11:58):
a company, and we also track anychanges in the tracking
technologies used by a company.
So, then, the privacy teams,with all this information, can
efficiently pinpoint the networkmembers within their business
network that introducedisproportionate risk to them.
Moreover, they can uncoverdiscrepancy between the privacy
(12:23):
standards that they expect thebusiness network members to
adhere with.
Let me show you some real-lifeexamples of how different
stakeholders have so far usedour products.
We detected that a customer wasunknowingly using tracking
technologies that did not complywith very specific USA
(12:43):
regulations.
Another customer thought theyhad implemented privacy
implementation platforms.
The tracking technologydiffered compared to what they
had officially stated, creatinga difference between disclosure
versus discovery.
One of our customers uncovereda massive potential data leak in
(13:08):
their payroll services provider(which could potentially be
impacting thousands ofemployees' personal information)
.
Another customer highlightedthat their pricing strategy may
not be compliant with the "rightto non-discrimination when a
consumer exercises their privacyrights.
Another company found thatthere was a list of business
(13:30):
partners who were not compliantwith CCPA; hence, they would not
have been able to fulfill theflow-down requirement if the
company was asked to respond tocertain consumer regulations.
All these examples illustratethe power that Privaini brings,
(13:52):
uncovering the privacy-relatedinsights which most likely would
have gone unnoticed.
And all of these things thatyou see came from the business
network of the company.
We do it in a very systematicway.
We quantify.
We create "privacy risk scoresfor a company.
It's like an apple-to-applecomparison and extremely
(14:14):
systematic the way we go aboutit.
Debra J Farber (14:17):
That's really fascinating this idea of a
"quantified privacy risk score.
What do you see as the benefitsof calculating that?
I mean, I've already just saidsome of it is to benchmark
across different companies.
Are there other benefits?
Can you speak a little moreabout this privacy risk score?
Sanjay Saini (14:37):
Yeah, there are a lot of scores out there and one
need to understand why a privacyscore is important.
Understanding privacy risk andits exposure is very hard.
The diversity in requirementsmakes it very, very difficult to
understand the privacy risk.
(14:57):
Certain privacy practices maybe perfectly acceptable in one
scenario, but will raise concernin others.
Let me give you some examples.
Let's say a bank is collectingsocial security number for its
operations or fraud protection.
It's completely legitimate andthey should do that, but if the
same is being captured by anairline, that raises red flags.
(15:21):
Why will an airline have asocial security number?
Similarly, if an airline has astate-issued ID information,
such as my passport information,that's perfectly fine, because
when I take a flight, theyprobably need my passport
information.
But, this is an issue if aretailer or a data broker has
such sensitive data available.
(15:42):
So, depending on what industryand what company is using this
information form, it's importantto put all of these together in
a uniform framework.
A uniform approach empowers thecompanies to now start making
comparisons across theirbusiness network members,
(16:04):
enabling them to figure out whyone member might pose a greater
privacy risk compared to others.
So, in a way, thisstandardization and creation of
a privacy score becomes a verycritical tool for a company to
protect both their customer dataand their own reputation as
(16:24):
well.
And, today computation and AItechniques are available to
create such kind ofcomprehensive methods and
uniform approaches for companies.
Debra J Farber (16:36):
That's really helpful.
I'm sure there are somelisteners who want to know more,
like what goes into the privacyscore and how do you weight
different data, and obviouslywithout a demo and all that,
it's going to be really hard to,I think, probably to better
understand it.
But, do you have anything tospeak to that at a high level,
(16:56):
of how you go about creating ascore that makes sense and
appropriate weighting?
Sanjay Saini (17:02):
So of course, we use a lot of algorithms and AI
techniques to create such ascore.
In essence, we take data aboutprivacy information.
It could be as simple as what acompany has declared in its
notices, terms of use, what's ontheir website, and then we
(17:26):
match that against hundreds ofdata sources that are available
to us.
It could be corporateinformation, legal databases,
regulatory information and thenwe take things about the
security events about a companyand we analyze the heck of it.
And then, of course, we havecreated our own algorithms where
(17:48):
we benchmark such informationand at the end of the day, we
come up with a privacy score.
It's a way more complicatedthing than I just described in
one sentence, but hopefully itgives you a sense of where we
come up with such a privacyscore.
It's a composite score.
Think of it as amulti-dimensional way of
evaluating the privacy postureand privacy profile of a company
(18:11):
.
Debra J Farber (18:12):
Yeah, I love it.
I think it's super helpful forjust contextualizing, like, how
does one company compare againstanother company, or how are the
companies in your networkcompare against each other, or
your baselines of what you wouldallow for such risk.
I mean definitely reallyexciting technology.
So, you mentioned that you useAI to discover external data.
(18:34):
Can you talk a little bit moreabout how Privaini does that?
Sanjay Saini (18:38):
Well, you know, in recent times, AI has been
making headlines for many, manyreasons, and it evokes some mix
of different emotions, you know.
Some people are excited aboutits potential and opportunities
for innovation, and others areconcerned about job displacement
(18:59):
and privacy issues.
So, we at Privaini, we think ofit as a very good tool to get
to what we want it to do, and wehave taken a very deliberate
approach.
We harness the power of AI in avery responsible way.
We employ AI to analyze thevast volume of corporate data.
(19:22):
I'm talking about very, verylarge data sources, which
otherwise would not have beenpossible.
And, these specifically excludeeven any sense of any personal
information when we do ouranalysis because what we are
trying to figure out is theprivacy impact on a company,
(19:46):
about everything that is relatedand available about that
company.
The way we go about it, itallows us to create meaningful
privacy insights.
Now, one of the remarkableaspects of AI is its ability to
just process and extractinformation from unstructured
(20:07):
data and coming from different,diverse sources, and do it at
scale, because what we neededwas to do all of this analysis
at scale.
And throughout our AI-drivenapproach, once we have done this
analysis, we now standardizethis information.
And once the information isstandardized, then we can now
(20:31):
create other things, such as theprivacy risk score that I was
talking about.
You can compare privacyprofiles and privacy postures of
two companies and makemeaningful decisions out of it.
So, we think the use of AI isvery exciting and it's very
powerful.
That's how we think of it, butit has to be done in a
meaningful and a deliberate wayand, like I call it as the
(20:54):
responsible use of AI.
Debra J Farber (20:56):
Yeah, that makes a lot of sense to me.
So, as I mentioned before, oneof the great benefits of
Privaini seems to be its abilityto continuously monitor for
privacy risks with this "outsidein approach," and I'd love for
you to speak more to theimportance of this monitoring
(21:17):
posture and the benefits tousing an outside- in approach.
Sanjay Saini (21:20):
So, before I do that.
Let me just share what isavailable today.
Let's say this traditional riskmanagement approach, which is
adopted by most companies, itfocuses on managing risk within
their own boundaries, within theenterprise.
It's essential.
It's absolutely required, butit falls short of providing any
(21:43):
company protection againstprivacy risk.
And, I firmly believe thatrelying solely on the inside-
out approach, it creates a falsesense of security and
achievement for companies whenit comes to privacy risk.
Why?
Because more than two thirds ofprivacy impacting issues, they
(22:04):
arise from outside the company'sfirewall, from within its
business network.
Remember the privacy breachnotice from the credit card
company we were talking about.
That is a classical problemthat arises from the current
approach, which is inside- out.
So, what we did, we took arevolutionary approach.
(22:25):
We said we're going to gooutside- in.
We have taken an outside- inapproach where we examine
externally- available data fromvarious sources, and we use
cutting- edge technology andvery sophisticated algorithms to
create a "privacy risk profile.
The beauty of it is the "lawsof large numbers come into play.
(22:49):
And when I speak to executives,I normally share this that what
we are trying to tell ourbuyers and our users is we will
give you insights, so that way,you are roughly right and never
exactly wrong.
That's what we need to think ofit.
And in today's rapidly- changinglandscape - I think you all
(23:14):
know the famous saying thechange is the only constant -
regulations are being updated;business network members update
their practices; there aresecurity events happening;
regulatory events happening left, right and center.
It happens on a daily basis anda lot of them have direct
impact on privacy.
To navigate this changingenvironment, continuous
(23:36):
monitoring is an absoluterequirement.
It's not a nice to have.
It's absolutely needed becauseyou could have analyzed a
company today and if somethinghappens a week from now, unless
you're monitoring it, you willmiss that 'til the next annual
questionnaire comes into play.
The key reason of continuousmonitoring is that when you
(23:58):
identify a business associate(which may have a potential
privacy- impacting issue or theymay not be complying with what
you had mutually agreed upon)you have to make a decision.
You don't want to wait for thenext annual questionnaire to be
filled in before you want tomake a decision.
(24:19):
You may choose to ship yourtraffic, your business traffic,
from them or take action interms of your mitigation
strategy to preserve your owndata and your own consumer data.
And this can be only done withmonitoring.
Staying ahead with monitoringis the name of the game, and I
(24:42):
believe it's required now formost certifications and it's
becoming part of legalrequirements as well.
So, that's why taking anoutside-in approach and
continuous monitoring isextremely important for
companies to think when theythink of their privacy and its
posture.
Debra J Farber (25:00):
Yeah, that seems to make a lot of sense to me.
It's just, we need to focusmore beyond our internal risk,
and I think it's really excitingto see something like Privaini
that is providing the capabilityto look at the larger risks
across your entire businessnetwork.
I think it's just incrediblyexciting.
So, thanks for kind giving us alittle more info about that.
(25:23):
I am curious though, what doesit take to set up an enterprise
network with Privaini for fullcoverage of external privacy
risks, because, yeah, it's notso clear as to what you might
need to know about anorganization in order to set
this up, so I'd love to hear alittle more.
Sanjay Saini (25:40):
Yeah, I mean traditionally.
If you were to ask anyexecutive, they will say it's
impossible to do it because theyhave thousands, if not tens of
thousands, of other businessesthat they interact with and the
traditional methods ofquestionnaire etc.
are just too time consuming andinefficient.
When I was doing my interviews,it turns out that most
(26:02):
companies, although theyallocate significant amount of
resources to assess privacy risk, they only cover 8% to 10% of
their business network.
The reason is not because theydon't want to do it.
The reason is that it's just toocumbersome today and the
current methods don't scalebecause it relies on manual
(26:22):
questionnaires coming in.
Even if your entire businessnetwork sends the information
back to you, who's going to readit and who's going to take
action on it?
Nobody does.
That for issue.
So, when we started Privaini,we recognize the importance of
creating an effective enterprisenetwork- wide coverage.
(26:46):
So, we designed a veryfrictionless approach to make
sure that there is a fullcoverage for a company's entire
business network.
Remember, we are taking anoutside-in approach, so our
customers do not need to asktheir business network members
to provide anything.
All they need to do is provideus the list of companies that
(27:09):
they do business with.
Could be anyone (27:10):
your suppliers , vendors, business partners,
even your large customers, etc.
It doesn't matter how long thelist is.
They just tell us the names ofthose companies and we take care
of the rest of the stuff.
We just basically go and createa risk profile for each one of
them.
In fact, we have thousands ofsuch companies already in our
library, so we just basicallyreuse it.
(27:32):
This way, our customers get100% of coverage and the
implementation is extremelyrapid.
It's almost like magic.
In fact, one of the executives,they've told me, " seems like
magic.
Then, when you think of it, itis very rapid and it works very
well.
Debra J Farber (27:52):
Amazing, amazing .
So, there's so much here.
I know you've shown me a littlebehind the scenes of just what
your reporting looks like forany company that you scan, and
it's just got thousands of themalready in your system.
I think you even say you havethe largest repository of
privacy notices that you'veanalyzed.
Sanjay Saini (28:11):
We believe we are the largest repository of the
information that is put together.
That means privacy information,their complete corporate
information, where they areregistered to do business, where
they are not registered to dobusiness, any kind of regulatory
database impact on them, andincluding cybersecurity events.
(28:32):
All of these together, when youput this profile together, we
believe we are the largestrepository which brings all this
information in one place.
Debra J Farber (28:46):
That's pretty impressive.
So, recently, there have been afew things that have come to
our attention that Privainicould have really helped with.
One of those is the Criteo case.
I'd love for you to talk aboutwhat that case found, what some
of the major fines were and howa platform like Privaini would
have surfaced privacy risks.
Sanjay Saini (29:07):
You're absolutely right, Debra, that major fines
have now become norm today,because what's happening here is
3, 4, 5 years ago, regulatorswere just writing the laws.
Now they are enforcing the laws.
The companies, unfortunately,are not ready for it yet.
These fines, it looks like theyare happening on a weekly basis
(29:30):
.
I can't imagine a week where wedon't read that they are
multimillion dollar fines, whichare imposed because of privacy
risks, essentially.
And, these multimillion dollarfines are now constant reminders
of the seriousness of thisissue.
The example that you mentioned,which is a Criteo example, just
(29:53):
to give you some background onit, this happened recently in
June itself.
A 40 million euro fine wasimposed by the French regulators
, CNIL, on Criteo, a Frenchcompany, which, by the way, are
rare.
There are not too manyinstances where a French
regulator had imposed a fine ona French company.
The regulators identifiednumerous issues with Criteo's
(30:16):
privacy postures, saying thatwhat Criteo was saying was not
correct practices.
But, more importantly, the datathat Criteo was processing on
behalf of its customers wastainted.
As the customers which actuallysent them (and this is a B2B
(30:37):
company, so this is not an endconsumer) the customers which
sent Criteo the information toprocess and do what they asked
them to do, they lacked theappropriate consent mechanism.
And, as a result, now Criteowas held responsible for the
privacy exposure it caused andharms to the end consumer,
(30:57):
essentially.
Now, the reason why I'mhighlighting this is this is not
just a situation of adownstream provider creating an
issue.
This is an upstream providerwhich created an issue for
Criteo.
And this underscores thesignificance of how and why a
(31:20):
robust platform is needed toeffectively manage privacy risk
across the entire businessnetwork.
I don't think managing theprivacy risk across business
networks is just a nice- to-have.
It's a much- requiredcapability, which every company
should have.
And, I'll pause there becausethe key thing which I want to
(31:44):
say here is this is not just anice- to- have element.
A company should look at thebroader view of the enterprise
privacy risk management becauseit is the right thing to do; it
has a positive impact on thebottom line and it builds trust.
It builds trust with otherbusinesses; it builds trust with
(32:08):
regulators; and, moreimportantly, your customers.
So, that's what we have beendoing and that's what I'm super
excited about this space.
Debra J Farber (32:18):
This is amazing.
I honestly think that theenvironments are ready for a
solution like this.
I think that the both privacyand security teams are
overburdened as it is trying tokeep their programs running, and
that something like Privainican really do a lot of heavy
lifting and surfacing insightsthat would help them make
(32:39):
business decisions aroundprivacy and security and should
you still use and work with aparticular vendor or partner or
anybody else in your businessnetwork.
So, gosh, this is like reallyexciting stuff and I really
appreciate you being here today.
If people want to learn moreand reach out to you, how can
(33:00):
they go about doing that?
Sanjay Saini (33:01):
You are welcome to come to our website, privaini.
com, which is P-R-I-V-A-I-N-I.
com, and I will even say in thesimple form, fill it in and we
will provide you an introductoryprivacy assessment report of
your company and then we cantake it from there.
We can have a follow upconversation and show you the
(33:23):
demo of the product and all thecool stuff that we have been
building.
Debra J Farber (33:26):
Excellent, and is there anything else you'd
like to leave our audience withtoday?
Any takeaways or a mantra thatyou live by, or anything?
Sanjay Saini (33:34):
I will say - the one thing which I will say is
that privacy and trust are anextremely important thing that
I'm not saying for the sake ofit.
I truly believe in it.
The second thing which I willsay is that I know I'm on a
privacy shift left profile, butwhat I will say is, for privacy
technical team members, at timesyou have to understand what is
(33:57):
on the right side of theequation before you shift left.
So, think through why in yourenvironment, for your company
and, more importantly, for theentire business network that
your company deals with, andthen how you can help them for
the enterprise- wide privacylist management.
(34:18):
That's where I will pause here,and then, although I did say
that it's a complex problem, butit's also a very exciting
opportunity, and then I'm trulyhappy that I'm collaborating
with leaders from all spaces tobring a solution which will be
useful worldwide.
Debra J Farber (34:34):
Excellent.
Well, Sanjay, thank you so muchfor joining us today on
Shifting Privacy Left to discussPrivaini and its outside- in
privacy risk monitoringcapabilities for entire business
networks.
Until next Tuesday, everyone,when we'll be back with engaging
content and another great guest.
Sanjay Saini (34:52):
Thank you, Debra.
Debra J Farber (34:56):
Thanks for joining us this week on Shifting
Privacy Left.
Make sure to visit our website,shiftingprivacyleft.
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it.
If you've found this episodevaluable, go ahead and share it
with a friend.
And, if you're an engineer whocares passionately about privacy
, check out Privado (35:15):
the developer friendly privacy
platform and sponsor of the show.
To learn more, go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.