Streaming live May 22 and 23, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Kobi Nissan is CPO and co-founder at MineOS. Dedicated to empowering individuals and businesses with ground-breaking data privacy solutions, Kobi brings a unique perspective to the evolving world of data protection. He leverages a wealth of experience in entrepreneurship and product management, and has a passion for innovative technologies.

Kobi appears exclusively at PrivSec Global to discuss the EU’s AI Act, with focus on what organisations need to do to get compliance right.

Below, Kobi answers questions on his professional journey and the themes of his PrivSec Global session.

Could you outline your career pathway so far?

At Mine, our mission is to reshape the data privacy landscape by harnessing the power of automation and cutting-edge technologies. As the Chief Product Officer, I am committed to building products that revolutionize the way we handle personal data, giving users complete control over their digital footprint.

I have more than a decade of experience in product strategy (Accenture), business intelligence, business development, and behavioural economics (King Digital Entertainment), and hold an MBA from INSEAD, as well as a Bachelor’s degree in Industrial Engineering from Tel Aviv University.

During 2.5 years as a VC investor at Saban Ventures, I had the opportunity to deploy $20m in +10 amazing early and late-stage companies in the Israeli ecosystem. I worked closely with the portfolio companies as well as sourcing and evaluating all investment opportunities with a strong emphasis on technology, product, system integration, and business strategy. 

Prior to joining Saban Ventures, I worked at King Digital Entertainment in London, where I coordinated a data analytics team, delivering insights for mobile game optimization as well as marketing strategy. 

Prior to that, I spent four years as a consultant at Accenture where I led both strategic and technological project execution in a variety of industries including Communications, Banking, and Pharmaceuticals.

Prior to Accenture, I co-founded a Fintech venture and served in various project management and business development roles at ECI Telecom.

What steps do organisations need to take to expedite compliance with the forthcoming EU AI Act?

Companies need to take a practical approach to AI Act compliance, and that’s difficult now since organizations do not know exactly what to expect. The bottom line of any framework is visibility and awareness, and the EU AI Act is no different since you need to know the level of risk your system is operating with.

The key then to expediting compliance is to start out with data discovery to understand where AI lives within your organisation, who is using it, and why it is being used. The amount of work your team is doing on an AI system matters as well, since the requirements for deployers vs providers varies and an organization could cross that line from one to the other and not even realize it.

If you have continuous data discovery with a context-based approach, you’re setting a firm floor for all the impact assessments and compliance requirements within the AI Act, and you’ll have the full knowledge you need to have the necessary conversations with Product and Engineering teams.

If you’re unable to identify where AI is processing data or if the risk calculus changes–which especially could happen in an unsupervised training environment–you’re going to end up with an adversarial relationship between innovation and compliance, and that doesn’t benefit anyone.

Organizations have a second chance with AI to invest in compliance as a value and brand driver after many were slow to do so in regards to privacy, and the first steps for that will always be embedding the compliance team within the work flows of other departments and then utilizing data visibility to direct decisions from there.

What are the common challenges that many organisations face as they bid to achieve compliance?

Especially for enterprises, keeping track of all the data systems staff are using is much harder than you think. The size of an enterprise data stack today is enormous, and even when organizations have rules in place to restrict usage of things like ChatGPT and even Grammarly, some workers will use those tools anyway.

If you don’t have visibility over that and employees don’t have training on how to interact with genAI, that’s creating needless and outsized risk.

So many organizations are still trying to do data mapping manually, and it’s just a virtually impossible task for it to hold any value in 2024. Things change too fast and are much too complicated to get insight into unless you’re using the right tools for data discovery and classification.

This also reflects in the other worries we hear from customers and prospects about AI. They’re unsure what the new impact assessment templates will look like and how they’ll be able to complete them. They’re worried about the fuzziness of definitions within the AI Act and how certain use cases will actually be regulated, and above all, they’re worried about a new, unknown layer of risk that no one is used to operating around.

These are big problems, but I think people need to recognize that they can only tackle them with baby steps, one at a time. You’re not going to jump from A to Z in the dawn of AI compliance, so getting tools and operations in order, getting data systems with AI identified, and prioritizing data security and risk management across the entire organization are the first steps to addressing any challenge that arises around AI.