Five Stages of GDPR Adjustment

This post includes new information responding to questions raised following publication of a prior version appearing in International Association of Privacy Professionals (IAPP) Privacy Perspectives.

On January 31, I took part in an IAPP-hosted webinar on managing risk and big data analytics under the EU's General Data Protection Regulation alongside Gwendal Le Grand, the Director of Technology and Innovation at the CNIL, France's data protection authority, and Mike Hintze, former Microsoft chief privacy counsel and now partner at Hintze Law.

Based on interactions with companies and regulators following the webinar, we found that companies are at varying stages of adjustment to the upcoming regulation. Understanding these five stages, we believe, can help companies that control and process personal data find a solution to their needs. So, here we go:

STAGE ONE - AWARENESS

At this stage, a company is aware that the GDPR contains new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors. Since compliance enforcement commences in the spring of 2018, many companies are stuck at this stage and are postponing moving to a solution. Yet preparation for compliance with the GDPR should begin now.

The company is usually also aware of the GDPR’s broad jurisdiction. It applies to all companies processing personal data for one or more EU citizens, regardless of where the company is located or has operations. The company is also aware that penalties for noncompliance can include fines of up to four percent of global gross revenues, along with class-action lawsuits, and direct liability for both data controllers and data processors for data breaches, data breach notification obligations, and so forth.

STAGE TWO - ACCEPTANCE

A company at this stage realizes it cannot rely on prior approaches or legal bases for data analytics, artificial intelligence, or machine learning. While consent remains a lawful basis under the GDPR, the definition of consent is significantly restricted. Under the GDPR, consent must now be “freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.?

These requirements for GDPR-compliant consent are not satisfied if there is ambiguity and uncertainty of data processing, as is the case with data analytics, artificial intelligence, or machine learning, or what we'll refer to as big data henceforth. These heightened requirements for consent under the GDPR shift the risk from individual data subjects to data controllers and processors.

Prior to the GDPR, risks associated with not fully comprehending broad grants of consent were borne by individual data subjects.

Under the GDPR, broad consent no longer provides sufficient legal basis for big data. Data controllers and processors must now satisfy an alternate legal basis for big data processing.

STAGE THREE - UNDERSTANDING

At this stage, a company appreciates that the GDPR does provide a means to continue big data processing. If GDPR proportionality, necessity, and state of the art obligations are satisfied by complying with new Pseudonymisation and Data Protection by Default requirements, "legitimate interest? can be used as a legal basis for big data processing:

• GDPR Article 4(5) defines Pseudonymisation as requiring separation of the information value of data from the means of linking the data to individuals. The GDPR requires technical and organizational separation between data and the means of linking the data to individuals. Traditional approaches like persistent identifiers and data masking do not satisfy this requirement, since correlations between data elements are possible without requiring access to separately protected means of linking data to individuals. The ability to re-link data to individuals is referred to as the correlative effect, re-identification via linkage attacks. It is also referred to as the Mosaic Effect, because the same party who has access to data can link the data to individuals.
• GDPR Article 25 imposes a new mandate for Data Protection by Default. It requires that data must be protected by default and that steps are required to use it, as opposed to the pre-GDPR default, where data is available for use by default and steps are required to protect it. It requires that those steps enforce use of only that data necessary at any given time, for any given user, and only as required to support an authorized use, after which time the data is re-protected.

STAGE FOUR - EVALUATING

A company at this stage is evaluating technology to determine if it satisfies GDPR requirements for both Pseudonymisation and Data Protection by Default.

• Pseudonymisation requires separating the information value of data from the ability to attribute the data back to individuals.
• Data Protection by Default requires revealing only that data necessary at a given time, for a given purpose, for a given user, and then re-protecting the data.

The advent of controlled linkable data

A webinar sponsored by the International Association of Privacy Professionals (IAPP), entitled How to Comply with the GDPR While Unlocking the Value of Big Data featuring Gwendal Le Grand, the Director of Technology and Innovation at La Commission Nationale de l'Informatique et des Libertés (CNIL), and Mike Hintze, former Microsoft Chief Privacy Counsel and now partner at Hintze Law, introduces the term Controlled Linkable Datat o describe new technology that achieves two critical goals:

• Supports Pseudonymisation by separating the information value of data from the ability to attribute the data back to individuals; and
• Satisfies Data Protection by Default, defined as revealing only that data necessary at a given time, for a given purpose, for a given use, and then re-protecting the data.

How does Controlled Linkable Data achieve these dual goals? It replaces restricted data elements, such as personal data under the GDPR, protected health information under HIPAA, and contractually restricted elements by dynamically changing pseudonymous tokens. As a result, Controlled Linkable Data does not enable correlations or "linkage attacks" back to the identity of individuals without access to keys.

Controlled Linkable Data also provides access to more accurate data, because it unlinks it without degrading it. On the other hand, alternative approaches apply Privacy Enhancing Techniques (PETs) indiscriminately, without allowing for what purpose the data will be used for, a shortcoming that degrades the value of the data.

Controlled Linkable Data can be implemented with a revolutionary approach, called Anonos BigPrivacy. Five granted patents, plus 50+ patent applications worldwide protect the unique capability of Anonos technology to use dynamically changing identifiers to enable Controlled Linkable Data.

STAGE FIVE - ENSURING CONTINUITY

Companies at this stage of adjustment are seeking to verify that technology vendors satisfy GDPR requirements for Pseudonymisation and Data Protection by Default, so that by using the technology they can ensure ongoing continuity of operations.

At what stage are you? Let us know. Contact us.

The Anonos intellectual property program, which is backed by 5 granted patents and 50+ additional patent applications worldwide, is the only technology that assures ongoing access to dynamically changing identifiers. This assurance produces invaluable benefits:

Companies do not have to worry about disruptions in access to Anonos’ BigPrivacy implementation of Controlled Linkable Data due to claims by third parties.

Companies also have the option of using Anonos’ BigPrivacy technology the way that best suits their needs.

Note: If a vendor other than Anonos supports Pseudonymisation and Data Protection by Default, which are the two requirements for Controlled Linkable Data, by means of dynamically changing identifiers, the interested company should verify the vendor has rights under Anonos patents.

If a vendor supports Pseudonymisation and Data Protection by Default by means other than dynamically changing identifiers, the company expressing interest should verify that this alternate approach satisfies the requirements for proportionality and necessity under GDPR Recitals 4, 156, 170 and Articles 6(4), 24 and 35, as well as state of the art requirements under GDPR Recitals 78 and 83 and Articles 25 and 32.