After Schrems II and the Amazon Fine: Overcome GDPR Compliance Challenges and Achieve Innovation Breakthroughs with GDPR Pseudonymisation
In a recent article, Processing Identifying Data is Unlawful in Many Situations, compelling arguments have been presented for why GDPR Pseudonymisation is the state-of-the-art solution for GDPR-compliant processing of data that is exposed to:
- Cloud Risk because processing is not restricted to the EU and personal data is processed in the clear in US cloud; and
- Lawful Processing Risk because processing cannot be justified based on:
- Consent (valid consent requires a specific description of each separate future processing activity and their corresponding purposes at the time of data collection, which is impossible for most analytics, AI or ML); or
- Contract (which is strictly construed to require desired processing to be essential – and not just ancillary – to the purpose of the contract, being useful for the purpose is not sufficient).
Schrems II is inevitably a turning point for organisations to make material changes to handling international data transfers.
Organisations cannot expect to conduct data transfers as they did before the ruling clarified the "Cloud Risk" inherent in processing EU personal data in the clear using US cloud services, regardless of the location of services. Furthermore, the Amazon fine highlights that organisations are exposed to "Lawful Processing Risk" when processing for data analytics, AI and ML operations cannot be justified based on 'consent' and 'contract' legal bases, regardless of the nationality of the controller or processor.
Pseudonymisation technology recommended by the GDPR and affirmed by the European Data Protection Board and the European Commission helps to overcome both of these challenges. Schrems II and the Amazon fine have overarching effects beyond clarifying restrictions on the processing of EU personal data. GDPR Pseudonymisation enables organisations to conduct international data transfers according to Schrems II requirements and to lawfully process EU data by:
- Technologically ensuring data protection by limiting re-identification risk;
- Satisfying the legitimate interests test by minimising risks to data subjects and enabling lawful processing of personal data;
- Expanding opportunities for lawful use, sharing and combining data; and
- Improving the accuracy of analytics, AI and ML.
Furthermore, properly implemented GDPR Pseudonymisation also:
- Enforces embedded distributed trust controls that travel with the data to dynamically reduce the risk of re-identification while enabling more expansive data use, sharing, and combining.
- Replaces indirect identifiers and attribute information that can lead to unauthorised re-identification with dynamically assigned replacement pseudonyms that are not re-linkable, thereby introducing maximum "entropy" (uncertainty) within and between data sets to reduce the risk of r-identification.
- Does not limit the scope of processing or degrade the accuracy/relevancy of data as required by other de-identification techniques to manage re-identification risk.
The benefits of GDPR Pseudonymisation extend beyond overcoming Cloud Risk and Lawful Processing Risk when using EU personal data. They provide structure for enhanced global data innovation and value creation by using GDPR Pseudonymisation.
For example, GDPR Pseudonymisation helps to:
- Transform global economies by leveraging Fourth Industrial Revolution (4IR) technology to reimagine consent and permission mechanisms differently.
- De-identify Protected Health Information (PHI) in compliance with California Consumer Privacy Act (CCPA) requirements, which are more stringent than requirements under the US Health Insurance Portability and Accountability Act (HIPAA).
- Avoid disruptions to data flows under US state privacy laws (e.g., California, Colorado, and Virginia) requiring the deletion of identifying data from both an organisation's systems as well as all third parties to whom data was shared, in response to "do not sell my data requests." 
GDPR Pseudonymisation-enabled Anonos Variant Twins enable the global sharing and processing of controllably re-linkable, non-identifying personalised data to help unlock data's commercial and societal value.
Gartner Group recognises Anonos as a Gartner Cool Vendor because patented "Variant Twins" create controllably re-linkable yet non-identifiable data sets from personalised data. This enables compliant data processing with no degradation in accuracy or speed of processing compared to identifying cleartext data.
>>If you have any questions, please contact me via LinkedIn.
This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS