April 5, 2018
Written by
Gary LaFever
5 Steps to Enable Compliant Analytics

5 Steps to Enable Compliant Analytics

Step #1: Your Company is Not Alone, Unless...

Your company is not alone in its desire to engage in advanced analytics, data sharing, AI, and migration to the cloud. But, data uses are evolving faster than the capabilities of traditional privacy and security controls. You must technically enforce policy controls at the data element level or your company will be left alone when competitors are maximising compliant data use, sharing and migration to the cloud.

  • With new dynamic pseudonymisation technology, even the most highly regulated companies can process data analytics and AI in the cloud.

Step #2: The Rules Have Changed...

All EU personal data effectively becomes highly regulated data under the GDPR. Many data access practices and uses which have been legal for decades will become illegal under the GDPR. Traditional privacy and security technologies do not support many lawful data uses in compliance with GDPR requirements because they cannot technically enforce policy controls at the data element level.

  • The new norm of EU data protection is that personal data use must be granularly controlled to protect privacy... it is no longer just about encrypting data.

Step #3: May 25th is just the BEGINNING...

The “sound heard around the world” on May 25th will not be the sound of EU Data Protection Authorities imposing enormous GDPR penalties. The sound will be privacy and security teams telling technology and analytics teams that they no longer have a lawful basis to use data for advanced analytics, sharing, or AI, and that they cannot migrate data to the cloud because of the risk of these penalties. Companies are rapidly growing their data analytics teams while their privacy and compliance teams are not growing in size - only in duties and responsibilities.  Privacy and compliance teams want to support business objectives, but if they can’t operationalize and automate processes many desired data uses will become illegal and no longer permitted.

  • New pseudonymisation technology enables legitimate interests as a lawful basis for advanced data analytics, AI, sharing and migration to the cloud. If compliance is not operationalized and automated, companies will not be able to support growing business needs.

Step #4: Hard to Say, Harder to Live Without…

Within the next few years, all companies will begin PSEUDONYMISING data to ensure compliant data use, sharing and migration to the cloud. Some companies are well versed in the requirements of pseudonymisation, others have a general idea of its benefits under the GDPR, and some have a hard time saying or spelling it. Pseudonymisation is very different than Anonymisation. There is no such thing as Pseudo-Anonymization.  The benefits of complying with the GDPR definition of Pseudonymisation make it well worth implementing from the “edge” of data collection all the way to the data lake for streaming privacy controls. Companies that realize the benefits of pseudonymising data first will be those that leave competitors behind.

  • If you never need to re-link your data then generalized statistics, differential privacy or homomorphic encryption may meet your needs. If you ever want to re-link your data under controlled conditions - which most use cases require - you need dynamic pseudonymisation technology to overcome the Mosaic Effect.  Click here for more info on dynamic pseudonymisation.

Step #5: Anonos BigPrivacy Dynamic Pseudonymisation

Data uses are getting bigger and so are privacy concerns - that is why many of the leading companies around the globe are implementing Anonos BigPrivacy dynamic pseudonymisation technology.

  • The European Commission Directorate‑General for Communications Networks, Content and Technology (DG CONNECT) is the department responsible for both data innovation and data protection.  A DG CONNECT official summarised a March 23, 2018 meeting with Anonos as follows:

I had previously seen three avenues to doing data-driven innovation with personal data in a privacy compliant manner. First, you may secure the consent of a person. Second, you may find a use case where anonymized/generalized data are "just good enough," and you can prove that your method of anonymization or generalization works to prevent re-linking of data to individuals. Third, you may hope that emerging technologies for privacy-preserving analytics like multi-party computing or homomorphic encryption could help you achieve your goal. But, we have learned today that there is a new way -  Anonos has introduced us to a distinct different fourth approach which is BigPrivacy dynamic pseudonymisation technology.

Enjoyed an in-depth session with Gary and Ted from @anonos at our Luxembourg premises today. Pseudonymisation as means to balance between data protection and data re-use @BigPrivacy