In a recent article, Processing Identifying Data is Unlawful in Many Situations, compelling arguments have been presented for why GDPR Pseudonymisation is the state-of-the-art solution for GDPR-compliant processing of data that is exposed to:
Schrems II is inevitably a turning point for organisations to make material changes to handling international data transfers.
Organisations cannot expect to conduct data transfers as they did before the ruling clarified the "Cloud Risk" inherent in processing EU personal data in the clear using US cloud services, regardless of the location of services.[1] Furthermore, the Amazon fine highlights that organisations are exposed to "Lawful Processing Risk" when processing for data analytics, AI and ML operations cannot be justified based on 'consent' and 'contract' legal bases, regardless of the nationality of the controller or processor.
Pseudonymisation technology recommended by the GDPR and affirmed by the European Data Protection Board and the European Commission[2] helps to overcome both of these challenges. Schrems II and the Amazon fine have overarching effects beyond clarifying restrictions on the processing of EU personal data. GDPR Pseudonymisation enables organisations to conduct international data transfers according to Schrems II requirements and to lawfully process EU data by:
Furthermore, properly implemented GDPR Pseudonymisation also:
The benefits of GDPR Pseudonymisation extend beyond overcoming Cloud Risk and Lawful Processing Risk when using EU personal data. They provide structure for enhanced global data innovation and value creation by using GDPR Pseudonymisation.
For example, GDPR Pseudonymisation helps to:
GDPR Pseudonymisation-enabled Anonos Variant Twins enable the global sharing and processing of controllably re-linkable, non-identifying personalised data to help unlock data's commercial and societal value.
Gartner Group recognises Anonos as a Gartner Cool Vendor because patented "Variant Twins" create controllably re-linkable yet non-identifiable data sets from personalised data. This enables compliant data processing with no degradation in accuracy or speed of processing compared to identifying cleartext data.
>>If you have any questions, please contact me via LinkedIn.
-------------------
[1] See https://www.linkedin.com/pulse/identifying-data-maybe-unlawful-gdpr-pseudonymisation-magali-feys/; see also https://emtemp.gcom.cloud/ngw/eventassets/en/conferences/hub/cloud/documents/move_from_cloud_first_to_clo_467017.pdf Many cloud-native Software-as-a-Service (SaaS) offerings and cloud-first strategies violate Schrems II prohibitions on processing identifying EU personal data in US-operated clouds, regardless of the location of the servers, due to surveillance concerns. However, GDPR Pseudonymisation can enable Schrems II compliance if an organisation can establish as its default the processing of Pseudonymised data whenever, wherever, and as often as possible (as required by GDPR Articles 25 and 32) so that non-Pseudonymised (i.e., identifying) data is processed only when necessary (helping to satisfy GDPR Articles 5(1)(b) Purpose Limitation and 5(1)(c) Data Minimisation), provided that: (a) there is a legal basis to do so under Article 6 (e.g., based on Article 6(1)(a) consent, 6(1)(b) contract, 6(1)(f) legitimate interests, or 9(2)(j) scientific research by leveraging Pseudonymisation-enabled technical and organisational measures to satisfy the "balancing of interests" test); and (b) the processing satisfies derogation requirements (e.g., Article 49(1)(a) based on consent, Articles 49(1)(b) or (c) based on contract), which were expanded to enable repetitive use for specific situations in the final EDPB Schrems II Guidance at https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
[2] Id.
[3] See https://www.weforum.org/agenda/2021/08/data-marketplaces-can-transform-economies/ and https://www.linkedin.com/pulse/european-parliament-highlights-need-more-effective-data-gary-lafever/
[5] See https://www.zdnet.com/article/colorado-becomes-latest-state-to-pass-data-privacy-law/
This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS