IAPP Summit: BYOB (Bring Your Own Legal Basis)

Presentation Transcript
Gary LaFever:
[00:06] Let me start off by why you can't do big data, which starts with “What is big data?” And so, big data when we use the term is iterative data analytics, artificial intelligence, and machine learning. By definition, it's asking that second, third, fourth, fifth, nth question that you don't know when you start off. That's the magic of big data. So, that is big data.

[00:39] Does your company perform big data analytics using EU personal data? Because if you do, what happens when you can no longer use that data?

[00:50] There's a huge difference between the lawful processing of big data under the General Data Protection Regulation (GDPR) and being compliant. And so, that distinction is significant. Why? Because the ways that you used to do big data, which we call here linked or readily linkable data are no longer permitted because they were premised on consent of the data subject. And how is a data subject going to give you unambiguous specific consent in advance to something by definition you don't yet know?

[01:29] We defined big data as interactive questions. So, if I can't give you the first question, it's impossible to get the data subject’s consent to the second, third, fourth, and the one after that. So, you have to have a new legal basis and new technologically enforced approach to do big data.

[01:49] You can be compliant by not doing big data. How many companies look to big data for their growth? They take the result of their operations and their transactional flow and they're looking to use that to increase the value of their organization. Other organizations are focused on secondary use of data. So, you have to be very, very careful that you don't ask your advisors and your technology providers to make you compliant but rather to have lawful processing of data.

[02:20] Very simple. If you're talking to a technology provider whose technology is more than 12 months old, there is no way it was developed to satisfy the GDPR because the very specific requirements for Pseudonymisation under Article 4(5) and data protection by default did not exist a year ago. So, you need to look at whether they meet your needs that you have today, tomorrow, next year, and next May under the GDPR.

[02:49] The 1, 2, 3s of BigPrivacy. First, we decouple the data from the identifying elements. This is what in the GDPR they refer to as Article 4(5). Decoupling the information value of the data from the means of attributing data back to the individual. Step one.

[03:16] Step two, protect the data by default so that only those data elements that were necessary or are necessary to support a very specific authorized use are revealed, no more. And then upon completion of use, they’re re-protected. This is the first half of the requirement for data protection by default.

[03:39] The third step, having done those two - decouple the data and protect the data by default enables something that is very powerful, which is the granular control of sharing based on time, purpose, place that actually gives you the value you're looking for from the data without revealing any more of identifying information that is necessary.

[04:01] But that's dynamic de-identification, which is the use of different pseudonymous identifiers at different times for the same data element. That's what decouples the information value from the means of attributing it back to the data. That's what enables you to protect the data by default to begin with. And in doing so, you can control the sharing.

[04:23] Before you go to do data analytics of big data, you have to have the right. And that right, for the most part, used to be premised on consent that no longer works. So, before anyone tells you their analytic system can do X, Y, or Z, you need to ask yourself: “What rights do I have to do that to the data?” Because the rights you had yesterday will not work tomorrow.

Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

Roadblocks
to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Access
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Process
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Unlawful
Activity
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
THE PROBLEM
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
THE SOLUTION
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.