Get ready for an eye-opening conversation with Sanjay Saini, the founder and CEO of Privaini, a groundbreaking privacy tech company. Sanjay's journey is not only impressive due to his role in creating high-performance teams that have built entirely new product categories, but also for the invaluable lessons he learned from his grandfather about the pillars of successful companies - trust and human connections. In our discussion, Sanjay shares how Privaini is raising the privacy bar by constructing the world's largest repository of company privacy policies and practices. It's a fascinating dive into the future of privacy risk management.
Imagine being able to gain full coverage of your external privacy risks with continuous monitoring. Wouldn't that revolutionize your approach to risk management? That's exactly what Privaini is doing! Sanjay explains how Privaini utilizes AI to analyze, standardize, and derive meaningful "privacy views" and insights from vast volumes of publicly-available data. Listen in to understand how Privaini's innovative approach is helping companies gain visibility into their entire business network to make quicker, more informed decisions.
Copyright © 2022 - 2023 Principled LLC. All rights reserved.
A company should look at the broader view of the enterprise privacy risk management because it is the right thing to do. It has a positive impact on the bottom line and it builds trust. It builds trust with other businesses; it builds trust with regulators; and, more importantly, your customers.Debra J Farber:
Welcome everyone to Shifting Privacy Left. I'm your host and resident privacy guru, Debra J Farber. Today, I'm delighted to welcome my next guest, Sanjay Saini, founder and CEO of Privaini, a privacy tech company that provides privacy risk monitoring to enterprises. Privaini provides visibility into privacy risk and actionable insights to enterprises with a fact-based, systematic approach to mitigate reputation and legal risk for data privacy in their business network. Proveni boasts the largest repository of company privacy policies and practices. Each policy is categorized, analyzed and continuously monitored. The product is designed for CPO, DPO, risk and compliance officers, vendor management, groups, insurers and teams that focus on data privacy risk management. I also want to disclose that I recently joined Privaini's Advisory Board and I'm excited by what Sanjay and team are bringing to market. Now I want to tell you a little bit more about Sanjay, because he's an impressive serial entrepreneur and strategic leader. He's led high-performance teams that built entirely new product categories. Examples include: developing the number one crisis communication system for federal government called AtHoc; the first nationwide location system with Polaris Wireless; the first worldwide payment gateway with Kibira; and the first real-time mobile provisioning system; and the first IT governance platform with Kintana. In fact, Privaini is Sanjay's fifth startup. Welcome, Sanjay. Hi, great to be here. So, Sanjay, tell us a little bit more about your background. What motivated you to found companies that bring trusted systems to market?Sanjay Saini:
I mean, it's just all so important and I'm so glad you're focused on it. But I'm so curious, what motivated you to found Privaini? You could have started any number of companies right now. What is it about privacy risk monitoring that motivated you to tackle this challenge in particular?Sanjay Saini:
Well, it all started with a letter from a major credit card company warning of a potential personal information breach from one of its business partners. I'm sure, like many of us, I've had seen such notices before and often ignored them, assuming that the companies that we trust to handle our data would have it under control. However, these privacy notices just kept pouring in from various companies from which I have been buying and different products and services and trusted them to manage my own privacy and my own personal information. I realized that even these large companies struggled to effectively manage the privacy risks across their business network. So I got curious and after that I spoke to maybe over 50 executives and a common theme emerged that the challenge was simply too complex for any single company to handle privacy risks across their entire business networks. Most companies were using outdated methods, managing privacy risk through cumbersome spreadsheet and annual questionnaires. Shockingly, only about 8 to 10% of their business network partners were manually reviewed, leaving the vast majority unchecked and definitely not monitored. Very reactive approach, I will say. It became evident that this was a pressing B2B issue, especially for companies with complex business networks and strict regulatory compliance requirements. Understanding privacy risk, Debra, for one company itself is very hard, let alone for an entire business network. Beyond the financial implications, the privacy issues pose significant threat to a company's brand and the trucks that they share with customers. So during my interviews with these executives, I posed a very simple question what if there was a service that could magically enable you to understand your exposure to privacy risk across your entire business network? The response was just overwhelmingly positive. This revelation led to Privaini, a platform which is designed to empower companies to quantitatively analyze and monitor privacy risk throughout their entire business network.Debra J Farber:
And, so you keep saying "business network. Could we unpack what that means for the audience? What do you mean by business network?Sanjay Saini:
Business network is any company that a company will do business with. It could be partners. It could be business associates, vendors, your technology providers or even a large customer. Think of anyone with whom a company shares data or receives data from. That is what a business network is.Debra J Farber:
Thank you. Okay, that's super helpful. So, let's dive in. What exactly is Privaini? Could you give us a little bit of an overview of the platform?Sanjay Saini:
Happy to so. Privaini is, like I said, is a platform for companies to effectively manage privacy risk arising from their entire business network. So, just to give you an idea, an average company has thousands of network - thousands of other companies that they do business with in their business network. So what we did, we created a standardized "privacy view for any company from externally available information. They bring together privacy data, corporate information, regulatory information, compliance impact, and the security data for any company, all of it in one place. Now what we do after that is we start building a privacy profile and the privacy risk posture for any company, and then we extend this analysis to cover everyone that a company engages within its business network. Like I was saying earlier, it could include partners, business associates, vendors, anyone that the company is doing business with or sharing information or receiving information. One of the interesting aspects of Privaini is that we operate on externally observable information. This means that a company doesn't need to request sensitive data or rely on biased questionnaire or annual updates. Instead, the enterprise privacy risk is just continuously monitored and we provide real-time insights to the companies. With Privaini now, the large enterprises which didn't have a similar solution can now confidently gain insights from the privacy views that we have created, and this is rooted on objective data, free from any kind of asymmetric information bias that could be happening through questionnaires or other mechanisms.Debra J Farber:
Well, that's so interesting because most of the companies out there have been so focused on where's the personal data within their own environments and how could they better have governance for their personal data, and they're so focused on that that they just haven't even had the time or resources to look from an "outside- in perspective. So I definitely feel like this is novel and really useful. Who are the stakeholders that would be the users of Privaini? Who did you design Privaini for?Sanjay Saini:
We design products for privacy and risk practitioners. It could be Chief Privacy Officers, Data Privacy Officers, but, more importantly, risk and compliance teams. In essence, privacy serves as a vigilant watchdog, identifying any privacy-related issues that may arise due to a change in a company's privacy posture. The change could be very simple, such as an updated privacy notice or extremely complex things, such as a new regulatory requirement coming in or a law which is coming into effect. In addition to that, we also pick up and highlight any regulatory action or security event that we have happened for a company, and we also track any changes in the tracking technologies used by a company. So, then, the privacy teams, with all this information, can efficiently pinpoint the network members within their business network that introduce disproportionate risk to them. Moreover, they can uncover discrepancy between the privacy standards that they expect the business network members to adhere with. Let me show you some real-life examples of how different stakeholders have so far used our products. We detected that a customer was unknowingly using tracking technologies that did not comply with very specific USA regulations. Another customer thought they had implemented privacy implementation platforms. The tracking technology differed compared to what they had officially stated, creating a difference between disclosure versus discovery. One of our customers uncovered a massive potential data leak in their payroll services provider (which could potentially be impacting thousands of employees' personal information). Another customer highlighted that their pricing strategy may not be compliant with the "right to non-discrimination when a consumer exercises their privacy rights. Another company found that there was a list of business partners who were not compliant with CCPA; hence, they would not have been able to fulfill the flow-down requirement if the company was asked to respond to certain consumer regulations. All these examples illustrate the power that Privaini brings, uncovering the privacy-related insights which most likely would have gone unnoticed. And all of these things that you see came from the business network of the company. We do it in a very systematic way. We quantify. We create "privacy risk scores for a company. It's like an apple-to-apple comparison and extremely systematic the way we go about it.Debra J Farber:
That's really fascinating this idea of a "quantified privacy risk score. What do you see as the benefits of calculating that? I mean, I've already just said some of it is to benchmark across different companies. Are there other benefits? Can you speak a little more about this privacy risk score?Sanjay Saini:
Yeah, there are a lot of scores out there and one need to understand why a privacy score is important. Understanding privacy risk and its exposure is very hard. The diversity in requirements makes it very, very difficult to understand the privacy risk. Certain privacy practices may be perfectly acceptable in one scenario, but will raise concern in others. Let me give you some examples. Let's say a bank is collecting social security number for its operations or fraud protection. It's completely legitimate and they should do that, but if the same is being captured by an airline, that raises red flags. Why will an airline have a social security number? Similarly, if an airline has a state-issued ID information, such as my passport information, that's perfectly fine, because when I take a flight, they probably need my passport information. But, this is an issue if a retailer or a data broker has such sensitive data available. So, depending on what industry and what company is using this information form, it's important to put all of these together in a uniform framework. A uniform approach empowers the companies to now start making comparisons across their business network members, enabling them to figure out why one member might pose a greater privacy risk compared to others. So, in a way, this standardization and creation of a privacy score becomes a very critical tool for a company to protect both their customer data and their own reputation as well. And, today computation and AI techniques are available to create such kind of comprehensive methods and uniform approaches for companies.Debra J Farber:
That's really helpful. I'm sure there are some listeners who want to know more, like what goes into the privacy score and how do you weight different data, and obviously without a demo and all that, it's going to be really hard to, I think, probably to better understand it. But, do you have anything to speak to that at a high level, of how you go about creating a score that makes sense and appropriate weighting?Sanjay Saini:
Yeah, I love it. I think it's super helpful for just contextualizing, like, how does one company compare against another company, or how are the companies in your network compare against each other, or your baselines of what you would allow for such risk. I mean definitely really exciting technology. So, you mentioned that you use AI to discover external data. Can you talk a little bit more about how Privaini does that?Sanjay Saini:
Well, you know, in recent times, AI has been making headlines for many, many reasons, and it evokes some mix of different emotions, you know. Some people are excited about its potential and opportunities for innovation, and others are concerned about job displacement and privacy issues. So, we at Privaini, we think of it as a very good tool to get to what we want it to do, and we have taken a very deliberate approach. We harness the power of AI in a very responsible way. We employ AI to analyze the vast volume of corporate data. I'm talking about very, very large data sources, which otherwise would not have been possible. And, these specifically exclude even any sense of any personal information when we do our analysis because what we are trying to figure out is the privacy impact on a company, about everything that is related and available about that company. The way we go about it, it allows us to create meaningful privacy insights. Now, one of the remarkable aspects of AI is its ability to just process and extract information from unstructured data and coming from different, diverse sources, and do it at scale, because what we needed was to do all of this analysis at scale. And throughout our AI-driven approach, once we have done this analysis, we now standardize this information. And once the information is standardized, then we can now create other things, such as the privacy risk score that I was talking about. You can compare privacy profiles and privacy postures of two companies and make meaningful decisions out of it. So, we think the use of AI is very exciting and it's very powerful. That's how we think of it, but it has to be done in a meaningful and a deliberate way and, like I call it as the responsible use of AI.Debra J Farber:
Yeah, that makes a lot of sense to me. So, as I mentioned before, one of the great benefits of Privaini seems to be its ability to continuously monitor for privacy risks with this "outside in approach," and I'd love for you to speak more to the importance of this monitoring posture and the benefits to using an outside- in approach.Sanjay Saini:
So, before I do that. Let me just share what is available today. Let's say this traditional risk management approach, which is adopted by most companies, it focuses on managing risk within their own boundaries, within the enterprise. It's essential. It's absolutely required, but it falls short of providing any company protection against privacy risk. And, I firmly believe that relying solely on the inside- out approach, it creates a false sense of security and achievement for companies when it comes to privacy risk. Why? Because more than two thirds of privacy impacting issues, they arise from outside the company's firewall, from within its business network. Remember the privacy breach notice from the credit card company we were talking about. That is a classical problem that arises from the current approach, which is inside- out. So, what we did, we took a revolutionary approach. We said we're going to go outside- in. We have taken an outside- in approach where we examine externally- available data from various sources, and we use cutting- edge technology and very sophisticated algorithms to create a "privacy risk profile. The beauty of it is the "laws of large numbers come into play. And when I speak to executives, I normally share this that what we are trying to tell our buyers and our users is we will give you insights, so that way, you are roughly right and never exactly wrong. That's what we need to think of it. And in today's rapidly- changing landscape - I think you all know the famous saying the change is the only constant - regulations are being updated; business network members update their practices; there are security events happening; regulatory events happening left, right and center. It happens on a daily basis and a lot of them have direct impact on privacy. To navigate this changing environment, continuous monitoring is an absolute requirement. It's not a nice to have. It's absolutely needed because you could have analyzed a company today and if something happens a week from now, unless you're monitoring it, you will miss that 'til the next annual questionnaire comes into play. The key reason of continuous monitoring is that when you identify a business associate (which may have a potential privacy- impacting issue or they may not be complying with what you had mutually agreed upon) you have to make a decision. You don't want to wait for the next annual questionnaire to be filled in before you want to make a decision. You may choose to ship your traffic, your business traffic, from them or take action in terms of your mitigation strategy to preserve your own data and your own consumer data. And this can be only done with monitoring. Staying ahead with monitoring is the name of the game, and I believe it's required now for most certifications and it's becoming part of legal requirements as well. So, that's why taking an outside-in approach and continuous monitoring is extremely important for companies to think when they think of their privacy and its posture.Debra J Farber:
Yeah, that seems to make a lot of sense to me. It's just, we need to focus more beyond our internal risk, and I think it's really exciting to see something like Privaini that is providing the capability to look at the larger risks across your entire business network. I think it's just incredibly exciting. So, thanks for kind giving us a little more info about that. I am curious though, what does it take to set up an enterprise network with Privaini for full coverage of external privacy risks, because, yeah, it's not so clear as to what you might need to know about an organization in order to set this up, so I'd love to hear a little more.Sanjay Saini:
Yeah, I mean traditionally. If you were to ask any executive, they will say it's impossible to do it because they have thousands, if not tens of thousands, of other businesses that they interact with and the traditional methods of questionnaire etc. are just too time consuming and inefficient. When I was doing my interviews, it turns out that most companies, although they allocate significant amount of resources to assess privacy risk, they only cover 8% to 10% of their business network. The reason is not because they don't want to do it. The reason is that it's just too cumbersome today and the current methods don't scale because it relies on manual questionnaires coming in. Even if your entire business network sends the information back to you, who's going to read it and who's going to take action on it? Nobody does. That for issue. So, when we started Privaini, we recognize the importance of creating an effective enterprise network- wide coverage. So, we designed a very frictionless approach to make sure that there is a full coverage for a company's entire business network. Remember, we are taking an outside-in approach, so our customers do not need to ask their business network members to provide anything. All they need to do is provide us the list of companies that they do business with. Could be anyone: your suppliers, vendors, business partners, even your large customers, etc. It doesn't matter how long the list is. They just tell us the names of those companies and we take care of the rest of the stuff. We just basically go and create a risk profile for each one of them. In fact, we have thousands of such companies already in our library, so we just basically reuse it. This way, our customers get 100% of coverage and the implementation is extremely rapid. It's almost like magic. In fact, one of the executives, they've told me, " seems like magic. Then, when you think of it, it is very rapid and it works very well.Debra J Farber:
Amazing, amazing. So, there's so much here. I know you've shown me a little behind the scenes of just what your reporting looks like for any company that you scan, and it's just got thousands of them already in your system. I think you even say you have the largest repository of privacy notices that you've analyzed.Sanjay Saini:
We believe we are the largest repository of the information that is put together. That means privacy information, their complete corporate information, where they are registered to do business, where they are not registered to do business, any kind of regulatory database impact on them, and including cybersecurity events. All of these together, when you put this profile together, we believe we are the largest repository which brings all this information in one place.Debra J Farber:
That's pretty impressive. So, recently, there have been a few things that have come to our attention that Privaini could have really helped with. One of those is the Criteo case. I'd love for you to talk about what that case found, what some of the major fines were and how a platform like Privaini would have surfaced privacy risks.Sanjay Saini:
You're absolutely right, Debra, that major fines have now become norm today, because what's happening here is 3, 4, 5 years ago, regulators were just writing the laws. Now they are enforcing the laws. The companies, unfortunately, are not ready for it yet. These fines, it looks like they are happening on a weekly basis. I can't imagine a week where we don't read that they are multimillion dollar fines, which are imposed because of privacy risks, essentially. And, these multimillion dollar fines are now constant reminders of the seriousness of this issue. The example that you mentioned, which is a Criteo example, just to give you some background on it, this happened recently in June itself. A 40 million euro fine was imposed by the French regulators, CNIL, on Criteo, a French company, which, by the way, are rare. There are not too many instances where a French regulator had imposed a fine on a French company. The regulators identified numerous issues with Criteo's privacy postures, saying that what Criteo was saying was not correct practices. But, more importantly, the data that Criteo was processing on behalf of its customers was tainted. As the customers which actually sent them (and this is a B2B company, so this is not an end consumer) the customers which sent Criteo the information to process and do what they asked them to do, they lacked the appropriate consent mechanism. And, as a result, now Criteo was held responsible for the privacy exposure it caused and harms to the end consumer, essentially. Now, the reason why I'm highlighting this is this is not just a situation of a downstream provider creating an issue. This is an upstream provider which created an issue for Criteo. And this underscores the significance of how and why a robust platform is needed to effectively manage privacy risk across the entire business network. I don't think managing the privacy risk across business networks is just a nice- to- have. It's a much- required capability, which every company should have. And, I'll pause there because the key thing which I want to say here is this is not just a nice- to- have element. A company should look at the broader view of the enterprise privacy risk management because it is the right thing to do; it has a positive impact on the bottom line and it builds trust. It builds trust with other businesses; it builds trust with regulators; and, more importantly, your customers. So, that's what we have been doing and that's what I'm super excited about this space.Debra J Farber:
This is amazing. I honestly think that the environments are ready for a solution like this. I think that the both privacy and security teams are overburdened as it is trying to keep their programs running, and that something like Privaini can really do a lot of heavy lifting and surfacing insights that would help them make business decisions around privacy and security and should you still use and work with a particular vendor or partner or anybody else in your business network. So, gosh, this is like really exciting stuff and I really appreciate you being here today. If people want to learn more and reach out to you, how can they go about doing that?Sanjay Saini:
You are welcome to come to our website, privaini. com, which is P-R-I-V-A-I-N-I. com, and I will even say in the simple form, fill it in and we will provide you an introductory privacy assessment report of your company and then we can take it from there. We can have a follow up conversation and show you the demo of the product and all the cool stuff that we have been building.Debra J Farber:
Excellent, and is there anything else you'd like to leave our audience with today? Any takeaways or a mantra that you live by, or anything?Sanjay Saini:
I will say - the one thing which I will say is that privacy and trust are an extremely important thing that I'm not saying for the sake of it. I truly believe in it. The second thing which I will say is that I know I'm on a privacy shift left profile, but what I will say is, for privacy technical team members, at times you have to understand what is on the right side of the equation before you shift left. So, think through why in your environment, for your company and, more importantly, for the entire business network that your company deals with, and then how you can help them for the enterprise- wide privacy list management. That's where I will pause here, and then, although I did say that it's a complex problem, but it's also a very exciting opportunity, and then I'm truly happy that I'm collaborating with leaders from all spaces to bring a solution which will be useful worldwide.Debra J Farber:
Excellent. Well, Sanjay, thank you so much for joining us today on Shifting Privacy Left to discuss Privaini and its outside- in privacy risk monitoring capabilities for entire business networks. Until next Tuesday, everyone, when we'll be back with engaging content and another great guest.Sanjay Saini:
Thank you, Debra.Debra J Farber:
Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website, shiftingprivacyleft. com, where you can subscribe to updates so you'll never miss a show. While you're at it. If you've found this episode valuable, go ahead and share it with a friend. And, if you're an engineer who cares passionately about privacy, check out Privado: the developer friendly privacy platform and sponsor of the show. To learn more, go to privado. ai. Be sure to tune in next Tuesday for a new episode. Bye for now.