Meet the expert: Tainá Baylão to speak at #RISK London

Taking place on October 18 and 19 at EcXel London, #RISK London addresses the issues impacting organisational risk today, from Governance, Risk and Compliance (GRC), to Environmental, Social and Governance (ESG), organisational culture, and much more.

The event builds on the success of #RISK 2022, allowing organisations to examine the cumulative nature of risk, unite GRC specialities and share views with subject-matter experts.

Tainá Baylão is Senior Specialist Data Protection at Infineon Technologies. She will be at #RISK London to discuss emerging privacy-enhancing technologies and their application to business success.

We caught up with Tainá to hear more about her professional journey to date and for insight into the issues on the table at his forthcoming #RISK London session.

Could you outline your career so far?

I’m originally from Brazil, which is where I’ve got my Bachelor of Law degree and lawyer qualification from. I’m also now a qualified lawyer in Portugal as well. Early in my career, I was more focused on Civil Law and Business Law matters, gaining experience through various law firms and government positions. 

However, in 2020, my passion for data protection ignited during my LLM studies at the University of Göttingen. Since then I’ve dedicated my career entirely to privacy. I delved into the field by writing my Master’s thesis on Data Processing Agreement Compliance for global companies, and by obtaining certifications from OneTrust, IAPP and Maastricht University.

My privacy journey led me through roles as a Privacy Analyst in a consultancy in Ireland, a mid-level Privacy Counsel in a reputed law firm in Sao Paulo, and now, as a Senior Data Protection Specialist at Infineon Technologies, a leading global semiconductor manufacturer. 

In my current role, I handle many responsibilities, including contract negotiations, vendor risk assessments, awareness programs, data subject requests, and my personal favourite, exploring the intersection between Data Protection and Artificial Intelligence. I’m passionate about discussing new technologies and their implications. 

What are the main privacy enhancing technologies (PETs) that organisations will be adopting over the coming 12 to 24 months?

Although there are many I could mention, I would like to highlight six key PETs at the forefront of this trend:

• Differential privacy: which is a technique that adds ‘noise’ to individual data points to protect privacy while preserving the overall statistical insights of the dataset. 
• Federated learning: which enables the training of machine learning models across multiple devices and servers while keeping data localized and decentralized. 
• Homomorphic encryption: which allows computation on encrypted data without the need for decryption. 
• Synthetic data: which involves using generative AI to create data that resembles actual data, but without real personal information.
• Self-sovereign identity: which empowers individuals to control their digital identities without relying on central authorities. 
• Zero-Knowledge proofs: which is a cryptographic technique that enhances privacy by verifying information without revealing the data itself. 

The pattern is clear, Artificial Intelligence plays an increasingly a crucial role in the development of PETs. The other way around, PETs also have shown significant progress when applied to generative models. 

For example, by injecting carefully calibrated noise during the training process, these models offer stronger privacy guarantees, ensuring that individual data points cannot be easily inferred from the model’s output. While machine unlearning is not a reality (and therefore neither data deletion from those models), this might be one the best approaches towards ensuring privacy rights are enforceable in large language models such as ChatGPT.

What are the primary benefits and challenges that some of these PETs present?

Some patterns that we can identify between these PETs are:

Benefits:

• Enhanced Privacy and Responsible Data Use: those PETs enable organizations to safeguard sensitive data while still allowing business to leverage their insights. This also helps foster trust with data subjects.
• Data Subject Empowerment: the tendency is to give, whenever possible control and choices to the data subject.
• Increased security: advanced cryptographic techniques are top priority and one of the most effective ways to assure data protection compliance. 

Challenges: 

• Technical Complexity: integrating PETs into existing systems may require expertise, time and resources. The need for privacy engineers has become more prominent by the second.
• Data utility trade-off: striking a balance between data privacy and utility can be challenging, as strong privacy measures may impact data analysis accuracy. 
• Interoperability: ensuring PETs can work seamlessly together and with different platforms may pose compatibility issues.
• User acceptance: convincing users to embrace new privacy-focused technologies might require education and transparent communication. 
• Regulatory landscape: compliance with evolving privacy laws and regulations demands ongoing efforts and adaptation. 
• Ethical considerations and potential adversarial uses of synthesized data must be carefully addressed. 

Therefore, we have to carefully weigh the perks and drawbacks before implementing any type of technology. It is also important to take into consideration your organization’s risk appetite, profile and budget. Some PETs might be welcomed for more regulated sectors, more subject to using sensitive data, while for companies that mostly process names and emails only, those might not be worth the investment. It should always be a case-by-case analysis.