September 13, 2017

GDPR Requires Controlled Linkable Data to Comply With State of the Art and Proportionality Requirements

Without complying with new requirements under the General Data Protection Regulation (GDPR), organizations are prohibited from performing data processing activities that they have relied upon for many years – including personalization, customization, analytics, artificial intelligence, machine learning, and sharing data with third parties.

The new state of the art [1] in data protection is Controlled Linkable Data [2] which enables these types of processing activities in compliance with the GDPR and proportionality [3] principles for ethical and lawful use of personal data.

Why This Is Significant:
  • The GDPR is the biggest regulatory change in data protection in several decades, and it applies to almost all organizations operating internationally – no physical presence or EU sourced revenues are required – all that is required is one or more data records of an EU resident. Failure to comply with GDPR exposes organizations to significant liability and exposure including class action lawsuits, administrative fines of up to 4% of global gross revenues and adverse public perceptions.
  • Traditional data processing activities relied upon for years by organizations are now illegal under the GDPR. To lawfully continue this processing, alternate legal bases must be supported which require new technical capabilities not supported by security and privacy technologies developed prior to the GDPR.
  • The new state of the art in data protection – Controlled Linkable Data – enables technological “dialing-up” or “dialing-down” of the linkability (identifiability) of structured and unstructured data to support data uses in compliance with legal bases provided under the GDPR, contractual restrictions, authorized uses, etc.
  • Since Controlled Linkable Data is now commercially available and deployable, organizations must be prepared to explain under EU proportionality principles why, if they do not use it.
  • EU proportionality principles evaluate proposed actions or processes under three criteria:
    • Legitimacy: Is the purpose for which an action or process is proposed proper and legitimate;
    • Suitability: Is the proposed action or process a suitable means of achieving the legitimate purpose; and
    • Necessity: Are there other ways to achieve the desired purpose in a manner that infringe less on the freedoms and interests of others. If so, why does an organization not use them?
 
The new state of the art – Controlled Linkable Data – has advanced to where it enables organizations to accomplish desired data processing objectives in compliance with GDPR and EU proportionality requirements.

Controlled Linkable Data satisfies GDPR requirements for (i) dynamic pseudonymisation [4] to separate the information value of data from the ability to attribute data back to individuals and (ii) data protection by default [5] to enforce real-time, use case specific, fine grain control over data, thereby:

  • Minimizing Risk: Mitigate vulnerability to data breaches by reducing the “surface area” of attack at a granular level when data is in use; and
  • Maximizing Utility: Control the level of linkability (identifiability) of data required for each specific use to enable lawful permissible use and processing of data.

Many organizations do not yet fully appreciate that many of their core data processing activities today cannot be performed under the GDPR, without controlling the linkability of data using technology. The first question that any company should ask when evaluating technology is whether it helps satisfy new legal bases required to make lawful use of personal data. Technology that supports Controlled Linkable Data enables a wide spectrum of compliance and business objectives by technically controlling the linkability of data to support new required legal bases. [6]

Numerous processing activities required for daily operations are no longer lawful under the GDPR, without implementing new technology to satisfy non-consent [7]/non-contract [8] legal bases. [9] The good news is that the new state of the art – Controlled Linkable Data – has advanced alongside the regulatory requirements under the GDPR, to enable compliance and achievement of organizations’ processing objectives.

Security and privacy technologies developed prior to the GDPR fail to satisfy new requirements for dynamic pseudonymisation and data protection by default required to support the appropriate legal bases to make lawful use of personal data under GDPR.

The GDPR severely limits the use of individual data subject consent as a legal basis for processing. In most cases, new consent requirements under the GDPR will render current data subject consents obsolete. Even were one to reestablish this data subject consent where possible, relying on consent alone dramatically limits the ability of organizations to make lawful use of personal data since data subjects can no longer grant effective consent for processing that they cannot fully understand at the time of consent.

Data uses made possible by the advanced state of technology (e.g., personalization, customization, analytics, artificial intelligence, and machine learning) often render consent impractical since new uses/opportunities do not arise until more in-depth analysis is completed. Consent cannot encompass the iterative nature of these digital advances. Organizations will miss out on insights made possible by advanced technology if they focus on complying with GDPR requirements using consent alone.

Today’s digital world imposes increasing risks and limitations on the “free” use of data, but technically enforcing granular control over the linkability of data reduces risk of lawsuits, penalties, reputational damage, investigations and audits while simultaneously increasing capabilities to personalize/customize offerings, perform analytics, artificial intelligence, and machine learning, and lawfully share data with third parties. Controlled Linkable Data enforces GDPR safeguards necessary to undergird “legitimate interest”[10] as a valid legal basis for processing “[w]here the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent . . . the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia… (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.” [11]

The GDPR supports four categories of data use. If an organization wants to process data in categories 2 or 3 – which are at the core of the new digital economy – they must control the linkability of data. The new state of the art – Controlled Linkable Data – leverages dynamic pseudonymisation [12] to help defeat unauthorized re-linking of data and ensure data protection by default [13] to protect data on a per use basis so that only the minimum data necessary is used.

Category 1 – Consent/Contract Use Based
(Linked/Readily Linkable Data)

This category involves using personal data (i) within the scope of consent [14] from data subjects expressly limited to what is specifically and unambiguously described at the time of consent and (ii) necessary for the performance of contract. [15] This includes personal data that is directly attributed to a data subject (“Linked Data” [16]) and data that is easily linked to a data subject (“Readily Linkable Data” [17]). There are significant limitations imposed on both of these legal bases (i and ii above) that restrict lawful data use beyond their express scope. [18] When processing Linked Data and Readily Linkable Data, data controllers must also provide security to protect against unauthorized use or disclosure and must fulfill other GDPR obligations including supporting new expanded rights granted to data subjects under the GDPR [19] (“Expanded Data Subject Rights”). An original data controller may share Linked Data and Readily Linkable Data with other data controllers/data processors to facilitate processing within the scope of consent/necessary for contract, only if the co-data controllers/data processors seamlessly enforce security, processing and contract requirements of the original data controller so that from an individual data subject’s perspective, all controls, procedures, and protections – including Expanded Data Subject Rights – are seamless between the processing parties. If a co-data controller/data processor is not in the position to support that level of seamlessness, the GDPR requires that processing by such co-data controller/data processor satisfy Category 3 processing requirements by controlling the linkability of data.

Technology solutions such as encryption, static tokenization, stateless tokenization, hashing, data masking, and other security solutions contribute to improved security for Category 1 data uses. They do not protect against unauthorized re-linking or re-identification of data as required under the GDPR for Category 2, 3 or 4 data uses.

Category 2 – Internal Use – Not Authorized by Consent/Necessary for Contract
(Controlled Linkable Data)

This category involves continued processing of data for secondary purposes by the original data controller. Using Linked Data and Readily Linkable Data to provide data subjects with products, opening up accounts, and processing that serves as the initial purpose for data collection constitutes primary use of data by a data controller. When a data controller uses data collected for primary purposes for any other reason not within the scope of the original consent/necessary for original contract, it is a secondary purpose and requires a separate legal basis to be lawful use. Controlled Linkable Data enables secondary data uses by helping to satisfy “legitimate interest” [20] requirements by controlling the linkability of data by leveraging dynamic pseudonymisation and data protection by default. Controlled Linkable Data helps support reliance on “performance of a task in the public interest” [21] as a valid legal basis by enforcing safeguards to ensure that technical and organizational measures are in place in the form of GDPR compliant pseudonymisation and compliance with requirements for proportionality and necessity. Controlled Linkable Data also uniquely supports “anonymity” [22] without destroying all capabilities for re-linking data under tightly controlled conditions thereby opening up new opportunities for data use, sharing and value creation.

Category 3 – External Use – Sharing, Analytics, AI
(Controlled Linkable Data)

This category involves sharing of data (i) for primary use purposes with co-data controllers/data processors not in a position to seamlessly enforce security, processing and contractual requirements of the original data controller (including Expanded Data Subject Rights) and (ii) for secondary use purposes like analytics, AI and machine learning. Former privacy and security technologies used for data sharing no longer satisfy GDPR requirements for lawful use. However, the new state of the art Controlled Linkable Data uses technologically enforced dynamic pseudonymisation and data protection by default to support “legitimate interest [23] requirements and satisfy GDPR de-identification requirements so that data controllers/processors are “not in a position to identify the data subject.” [24]

Category 4 – Generalized Statistics
(Unlinkable Data)

Privacy technologies developed prior to the GDPR were designed to protect predetermined isolated data sets and support generalized statistics, but in this changing regulatory landscape, they fail to comply with new GDPR standards for modern digital processing. Combining and analyzing multiple data sets, inserting unstructured data and adding Linkable Data into data sets – processing at the core of the new digital economy – cause legacy privacy technologies to break down and prevent them from supporting GDPR compliant secondary data uses. [25] Generalized statistics technologies that have been used in the past and claim to support combining protected data sets with other sources of data for secondary purposes or re-linking data to original data sources and data subject identities are not designed to support these uses in a GDPR compliant lawful manner. This requires dynamic pseudonymisation and fine-grain control over data on a per use basis which pre-GDPR technologies cannot support.

The GDPR is disrupting traditional data processing in a significant way, and non-compliance carries significant penalties and risks. Organizations that do not change their data protection practices will find themselves unable to analyze and gain insights from datasets since the legal bases required for lawful processing impose new requirements. The technology for tackling these GDPR challenges is available, however, and works within the GDPR framework to support business specific secondary data uses – which are all about linking data – by providing necessary technical and organizational measures to enforce controls over the linking of personal data. BigPrivacy® technology from Anonos® uniquely enables GDPR compliant secondary data uses by leveraging GDPR compliant dynamic pseudonymisation and data protection by default.

Anonos BigPrivacy Technology Uniquely Supports the New State of the Art – Controlled Linkable Data

Since 2012, Anonos has been actively engaged in research and development to advance the state of the art in data protection, privacy and security technology. [26] The Anonos BigPrivacy platform enforces data protection policies down to the individual data element level via a patented process called Privacy Rights Management® or PRM® that implements Digital Rights Management (DRM)-like technical controls but for the benefit of data subjects. Even in situations where data subjects are not directly involved, BigPrivacy technology manages risk to enable responsible use of data that respects the rights of data subjects to maximize the value and utility of data.

Anonos BigPrivacy uniquely supports GDPR compliant legal basis conversion and data retention, as well as iterative data analytics, artificial intelligence and machine learning (“Big Data Analytics”) by:

  • Enabling adequate data protection across the full data lifecycle by enabling Controlled Linkable Data; and
  • Enforcing dynamic Controlled Linkable Data to adhere to GDPR state-of-the-art requirements to support GDPR compliant Big Data Analytics.

The benefits of Controlled Linkable Data leveraging GDPR compliant dynamic pseudonymisation and data protection by default extend beyond GDPR compliance to enable controls necessary for secondary uses of data underlying the new global digital economy.

Four Categories of GDPR Data Uses
Controlled linking of Big Data = BigPrivacy®
5 Minute TED Talk: Why Big Data Needs BigPrivacy
https://anonos.com/ted-talk

If you are interested in learning more about Controlled Linkable Data to see how your clients can benefit from the new state of the art in data protection, contact us at briefing@anonos.com.

 

This article originally appeared in Lexology.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS

Footnotes:

[1] GDPR Recitals 78 and 83 and Articles 25 and 32 require deployment to the fullest extent possible of the state of the art in data protection processing controls and security technologies.

[2] Controlled Linkable Data was presented at an International Association of Privacy Professionals (IAPP) program entitled General Data Protection Regulation (GDPR) Big Data Analytics featuring Gwendal Le Grand, Director of Technology and Innovation at the French Data Protection Authority – the CNIL, Mike Hintze, Partner at Hintze Law and former Chief Privacy Counsel and Assistant General Counsel at Microsoft, and Gary LaFever, CEO at Anonos and former Partner at Hogan Lovells (see https://anonos.com/GDPR_Industry_FAQ.pdf ) and explained in a White Paper co-authored by Messrs. Hintze and LaFever entitled Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics (see https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2927540)

[3] Article 52 of the EU Charter of Fundamental Rights and GDPR Recitals 4, 156 and 170 and Articles 6, 24 and 35 reference EU proportionality principles.

[4] New pseudonymisation requirements are set forth in GDPR Recitals 26, 28, 29, 75, 78, 85, 156 and Articles 4, 25, 32 and 89. If a vendor claims to “pseudonymise” data to comply with the GDPR, it is important to verify whether they use static pseudonymous tokens or dynamically changing pseudonymous tokens. Only dynamically changing pseudonymous tokens satisfy state of the art GDPR requirements that the information value of data be separated from the ability to attribute data back to individuals via the "Mosaic Effect." GDPR Article 4(5) defines GDPR-compliant pseudonymisation as requiring separation of the information value of personal data from the means of attributing the data back to individual data subjects. Traditional approaches to pseudonymisation use a persistent, or static, pseudonymous token to replace each data element. Using a simplistic example, the zip code value of 20500 in a database would be replaced with a static pseudonym (or token value) of 6%3a8, and this same pseudonym would be used to replace each occurrence of zip code 20500. Due to advances in technology and threat-actor sophistication, persistent (static) pseudonyms can be readily linked back to individuals via the “Mosaic Effect” in violation of stated restrictions in Article 4(5) without requiring access to keys to reveal the value of persistent (static) pseudonyms. Thus persistent (static) pseudonyms fail to comply with new GDPR requirements to separate data from the means of attributing information back to individuals. In contrast, dynamically changing pseudonymous tokens separate the information value of personal data from the means of attributing the data back to individual data subjects. An example of the “Mosaic Effect” is available at http://dataprivacylab.org/projects/identifiability/paper1.pdf where it is explained that if three seemingly “anonymous” data sets using persistent (static) pseudonyms are combined – one each comprised of zip code, age and gender of US citizens, up to 87% of the U.S. population can be identified by name.

[5] Data Protection by Default is required under GDPR Recitals 78 and 108 and Articles 25 and 47. Data Protection by Default requires real-time, use case specific, fine grain control over use of personal data. Be wary of vendors who highlight adherence to “Privacy by Design” principles but do not similarly state that they comply with “Data Protection by Default” requirements. They are not one in the same – the GDPR mandates the strictest implementation of Privacy by Design, which is Data Protection by Default.

[6] See footnote 2, supra.

[7] While “consent” under GDPR Article 6(1)(a) remains a lawful basis for processing personal data, the definition of consent has been significantly restricted. GDPR Recital 32 and Article 4(11) mandate that consent must be “freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” These heightened requirements for consent under the GDPR shift the risk from individual data subjects to data controllers and processors. Prior to the GDPR, risks associated with not fully comprehending broad grants of consent were borne by individual data subjects. Under the GDPR, broad consent no longer provides sufficient legal basis for processing personal data.

[8] While “necessary for the performance of contract” is an available legal basis for processing personal data under GDPR Article 6(1)(b), Opinion 06/2014 of the Article 29 Working Party (WP29 Legal Bases Opinion) clarifies that availability of performance of contract as a legal basis must be “interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract.” Scenarios in the WP29 Legal Bases Opinion concerning limitations on permissible data processing clarify the limited availability of legal bases for data uses that are not genuinely necessary for a transaction (see http://www.dataprotection.ro/servlet/ViewDocument?id=1086 ).

[9] The requirements for GDPR Article 6(1)(c) “compliance with a legal obligation of a controller” to serve as a valid legal basis for processing personal data eliminate it as a viable legal basis for many secondary data uses. The requirements for GDPR Article 6(1)(d) “vital interest of a data subject” to serve as a valid legal basis for processing personal data eliminate it as a viable legal basis for many secondary data uses. For GDPR Article 6(1)(e) “performance of a task in the public interest” to serve as a valid legal basis, processing of personal data must be subject to GDPR safeguards to ensure that technical and organisational measures are in place, including GDPR compliant pseudonymisation, that comply with requirements for proportionality and necessity under GDPR Recitals 4, 156, 170 and Articles 6(4), 24 and 35. “Legitimate interest” under GDPR Article 6(1)(f) may be a valid legal basis for secondary data uses if GDPR proportionality, necessity, and state of the art obligations are satisfied by complying with new GDPR dynamic pseudonymisation requirements under Article 4(5) and data protection by default requirements under Article 25.

[10] GDPR Article 6(1(f).

[11] GDPR Article 6(4).

[12] See footnote 4, supra.

[13] See footnote 5, supra.

[14] GDPR Article 6(1)(a).

[15] GDPR Article 6(1)(b).

[16] See definition of “Linked Data” on page 9 of White Paper entitled Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics cited in footnote 3, supra.

[17] See definition of “Readily Linkable Data” on page 10 of White Paper entitled Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics cited in footnote 3, supra.

[18] Consent has been significantly restricted under the GDPR to require that it must be “freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.” These heightened requirements for consent under the GDPR shift the risk from individual data subjects to data controllers and processors. Prior to the GDPR, risks associated with not fully comprehending broad grants of consent were borne by individual data subjects. Under the GDPR, broad consent no longer provides sufficient legal basis for processing personal data. The WP29 Legal Bases Opinion clarifies that availability of performance of contract as a legal basis must be “interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract.”

[19] Article 15 - Right of Access; Article 16 - Right to Rectification; Article 17 - Right to Erasure/Right to be Forgotten; Article 18 - Right to Restrict Processing; Article 19 - Notification to Data Recipients of any Rectification, Erasure, or Restriction of Processing; Article 20 - Data Portability; Article 21 - Right to Object; and Article 22 - Exclusion from Automated Decision-Making/Profiling.

[20] See footnote 10, supra.

[21] GDPR Article 6(1)(e).

[22] GDPR Recital 26 stipulates that “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information.” The WP29 published an opinion on achieving GDPR-compliant anonymization (available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf ) (WP29 Anonymization Opinion) which includes, inter alia, three criteria for assessing the efficacy of anonymization techniques – i.e., the inability to use an “anonymized” data set to (1) single out, (2) link to, or (3) infer, the identity of a data subject. If these three criteria are met, a data controller is on the “safe side.” If these three criteria are not met, it does not mean that anonymization is not possible but a data controller must conduct a risk analysis to verify that the risk of re-identification is sufficiently low; additional safeguards and techniques may be required. Controlled Linkable Data uniquely enables “Privacy Rights Management for Individuals (PRMI) which enables “anonymous” data to be re-linked under tightly controlled conditions - see discussion on pages 10-11 and pages 14-24 of White Paper entitled Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics cited in footnote 2, supra.

[23] See footnote 1, supra.

[24] GDPR Articles 11(2) and 12(2).

[25] Prior to the development of Controlled Linkable Data, the state of the art in privacy technology consisted of tools to support generalized statistical analysis. Traditional technologies leverage “Privacy Enhancing Techniques” or “PETs” (e.g., k-anonymity, l-diversity, t-closeness and differential privacy) enable data controllers/data processors to use isolated, protected data sets as compliant stand-alone data resources. By supporting generalized statistics, these technologies help provide insights into high-level trends, demographics, etc. These protected data sets are considered “safe” because they are purportedly unlinkable and not capable of being linked back to original data sources or to data subject identities. The term “anonymous” is sometimes used in connection with these data resources. Data controllers/processors should be wary of combining these isolated, protected data sets with other sources of data for secondary purposes, re-linking data to original data sources or to data subject identities since such uses of personal data are not lawful under GDPR and are a principal type of processing the GDPR seeks to improve. Privacy solutions premised on traditional PETs to enable use of “anonymized” data protected against re-identification may comply with the GDPR and even be outside of its jurisdiction. However, once a data controller/processor attempts to link results from generalized statistical analyses back to original data sources or to data subject identifies, new GDPR requirements must be satisfied or the data use is unlawful. This requires dynamic pseudonymisation and fine-grain control over data on a per use basis which generalized statistical technologies do not support. The principal reason for this shortcoming is that PETs were designed to protect privacy of data within a data set but not between and among data sets outside of a “controlled environment” in which they work. They do not comply with new GDPR standards for pseudonymisation and data protection by default.

[26] The Anonos BigPrivacy dynamic de-identification systems, methods and devices that support GDPR compliant dynamic pseudonymisation and data protection by default requirements are covered by foundational granted patents (including, but not limited to, Nos. U.S. No. 9,631,481; 9,129,133; 9,087,216; 9,087,215; and 9,619,669) and a portfolio of over 50 pending U.S. and international patent applications.

Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

Roadblocks
to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Access
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Process
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Unlawful
Activity
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
THE PROBLEM
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
THE SOLUTION
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.