Need-to-share principle as a growth driver: cornerstone for scalable GenAI use cases

Industry: Automotive OEM | Period: 3 months | Team size: 2 consultants

Data has long been much more than the “new oil” – today it is at the heart of successful AI and analytics transformations. However, gaining valuable insights for people and algorithms from raw data remains one of the key challenges for companies that want to develop real competitive advantages through innovative technologies.
Our customer, a leading German car manufacturer, is facing precisely this challenge. The aim is to orchestrate the extensive existing database in such a way that innovative use cases relating to generative AI can be utilized to the maximum – while fully complying with both strict EU regulations and internal security guidelines.
Together with the specialist departments, IT and corporate security, our experts have developed a forward-looking solution that optimally addresses this area of conflict: A data object-based “need-to-share” approach that enables automated, secure and compliant data exchange, paving the way for sustainable innovation.

Author

Tim Naumann

Manager

Challenge: How silos and processes make access to company data more difficult

In medium-sized and large companies – such as our project customer – there are often hurdles that limit company-wide data availability:

Restrictive approval mindset due to misunderstandings:
While legal and regulatory requirements within the need-to-know principle are essential, they are often misinterpreted or over-applied. The result: too few users gain access to relevant information, while new access requests remain complex, time-consuming and subject to the burden of proof on the part of the data consumer.
Complex role and rights concepts with long approval processes:
Authorization concepts and their associated application and approval processes have often grown historically and are therefore unsuitable for today’s digital, networked working methods of thousands of users. They are often tailored to a small group of users, which leads to a flood of approval requests and inefficient, sometimes blind or blanket approvals when they are transferred to different departments – and thus counteracts the original idea of the need-to-know principle.
One-sided focus on risk without considering added value:
In the context of corporate security, the risk management of data access is usually the top priority. However, if the user group is expanded in a targeted and comprehensible manner, not only the potential risks of a data outflow increase, but also the business added value. For GenAI use cases in particular, it is therefore essential to always weigh up the potential benefits against the risks.
Application-oriented instead of data-oriented security:
Information protection requirements are often classified at application or system level and based on the respective intended use. This leads to redundant and sometimes contradictory assessments of identical data in different contexts – and stands in the way of a genuine, data-oriented security strategy. The “data access islands” resulting from this setup are already hindering the implementation of classic use cases. However, they become real stumbling blocks for successful AI transformation, especially in company-wide use cases such as “chattable data”.

Success Journey: The Need-To-Share Transformation with Ventum Consulting

01

Transparency about the status quo in risk processes and regulatory requirements

A comprehensive analysis of all data-related risk and approval processes ensured clarity across the organization regarding processes, data criticality and access authorizations. Together with Group Security, the regulatory requirements were then reviewed and the scope for a need-to-share principle was defined. A need-to-know principle remains necessary for certain external certifications - this was resolved by means of various data criticality levels and assigned person and role groups. In addition, the transparency gained has dispelled existing myths, for example regarding personal liability.

02

Development of a quick-win approach for pilot projects

In just a few weeks, two central IT platform projects demonstrated how access rights can be efficiently extended from individuals to groups of people - without extensive changes to approval processes or responsibility profiles. The key lay in the addition of an explicit opportunity assessment to the approval documents, whereby risks and business benefits were clearly juxtaposed - previously they were at most an implicit subject of discussion. This gave decision-makers a sound basis for quick, transparent approvals. This approach enables the need-to-share principle and can be transferred to other use cases in principle. However, it remains related to specific IT contexts or systems. However, the release of data objects "per se" is necessary if AI and analytics applications are to connect data sources efficiently and dynamically.

03

Data-centric & tool-supported central release process for data

For a comprehensive implementation of the need-to-share principle, a flexible, scalable solution is required that focuses on the business object as the central data model. Protection requirement classifications are stored directly and reusably on these objects and can therefore be used for all applications. This enables the automatic release of non-critical data and speeds up the process for critical data by providing information for the risk-benefit assessment. The basic requirement is a central, company-wide data catalog (business object repository) with mapping to the physical schemas. All business objects, including their protection class and need-to-share capability, can be accessed transparently. A machine-readable, semantically enriched catalog not only supports automated approvals, but also provides a company-wide ontology - an advantage for employees and AI systems alike when it comes to comprehensively understanding specific company data, especially when it comes to specific company data whose correlations are not apparent from the general training data of the AI models.

The Impact at Launch

Clarity in the risk assessment and approval process:
Previously fragmented sub-processes in risk analysis and access approval were integrated, conflicting responsibilities were resolved and risks were systematically compared with business opportunities for the first time. This created new transparency, helped to identify scalable solutions and shortened the time from the finished use case to productive deployment - for faster business impact.
Realizing the opportunities of need-to-share while maintaining need-to-know:
Within a few weeks, a clear understanding of the actually required need-to-know rules was created and overinterpretations identified. This enabled the targeted introduction of the need-to-share principle at user group level and its establishment in initial breakthrough projects such as "Chattable development data" - as a blueprint for other fields of application such as data-based IT governance.
Strengthening the transformation mindset and change communication:
Clarity regarding regulations, processes and responsibilities has reduced reservations about access approvals. As a result, employees benefit from transparent guidelines, more room for maneuver and simpler, comprehensible approval processes. Cooperative interaction between IT, specialist departments and Group Security was established - as a catalyst for the sustainable rollout of the need-to-share approach and therefore as a basis for handling data as a raw material and thus for a Group-wide data-driven transformation.

Summary & outlook: From proof of concept to scalable data excellence

The ability to share data securely and in a controlled manner across organizations is one of the key prerequisites for the success of data-driven innovations today – especially when it comes to scaling GenAI use cases. Even state-of-the-art technologies and AI tools cannot reach their full potential as long as there are access barriers and no effective need-to-share principle is established.

Ventum Consulting accompanies companies on this journey – from the initial proof of concept through to comprehensive, company-wide implementation. With extensive experience in data governance, compliance, technology integration and organizational change, we ensure sustainable success.
Find out more about our services and approaches for an effective data strategy here.