Business Applications of Anonos Use Cases
The following business applications highlight numerous examples of some of the benefits from transforming current business practices involving the processing of vulnerable identifying cleartext data – which is not required to produce the desired results – to processing protected GDPR Pseudonymised data whenever, wherever, as often as possible. When using Anonos Data Embassy GDPR Pseudonymisation-compliant software, identifying cleartext data is used only when lawful derogations (i.e., exceptions to prohibitions) exist.
BI reporting Using Cloud-Based Applications
Anonos Data Embassy software enables GDPR Pseudonymisation of direct and indirect identifiers and attributes to create pivot tables representing personal data before the information is used for BI processing hosted on US cloud platforms, regardless of the location of the servers. This enables processing in compliance with both Schrems II and GDPR legal basis requirements. When someone wants to “drill down” to see identifying data, Variant Twins can be used by a data controller in the EU to relink to identifying data to provide the desired details.
E-mail Marketing Campaigns
Variant Twins are created that pseudonymise all personal data in compliance with heightened GDPR requirements for each individual, which are then processed against cleartext non-personal data that serve as filtering criteria. After Variant Twins representing the people desired in outreach are determined, the identities represented by the Variant Twins are compared against Variant Twins representing customers (i) who have opted out of receiving offers or (ii) are already involved in campaigns, thereby avoiding contacting people who should not receive offers. Once the Variant Twins representing the people who should receive offers are identified, the data controller can use the “additional information” held separately to relink the results of the Variant Twin processing to EU data subject identities provided that (i) there is a legal basis to do so under Article 6, and (ii) processing satisfies derogation requirements.
This approach protects personal data until data subjects’ email addresses are needed to transmit offers to them individually. It is important to note that restricting the use of email services to EEA/Equivalency Country providers will not improve privacy since data travels across the internet in packets. When an e-mail is sent, the message breaks up into packets that travel across the global Internet Protocol (IP) network. Different packets from the same message don't necessarily follow the same path. Rather, packets travel from one machine to another until they reach their final destination, with the processing occurring in milliseconds. The computer finally receiving the data assembles the packets like a puzzle, recreating the message. This differs from a phone system that creates a dedicated circuit through a series of switches, but which are susceptible to failure if something happens to the connection. In contrast, if a connection in the IP network should fail, data can travel across an alternate route. As a result, there's no guarantee that an email sent from Paris to Madrid does not process on routers in the US or another third country.
Cybersecurity and fraud experts rely on monitoring global source data to identify anomalous behaviour that, in some instances, represents bad actors. These data sets are some of the most sensitive data any company holds. Being able to create privacy preserving views of the data enables data science teams and models to evaluate risk in new ways with greater scale to identify bad actors. By providing detection models with Variant Twins representing personal data to enable identification of outlying values with suspicious “signals” in them, EU data controllers can use the suspicious Variant Twins to identify source data only when there is a record that needs to be investigated, provided that (i) there is a legal basis to do so under Article 6, and (ii) processing satisfies derogation requirements or is localised within the EEA or Equivalency Countries.
Access to Outsourced Expertise
Organisations desire to outsource processing – via cloud or remote access arrangements – when they don't have the internal resources to perform them internally. In these instances, Variant Twins can be created that reflect discrete but sufficiently large groups reflecting homogenous characteristics, behaviours, etc., to enable analysis without revealing identities. This enables compliance with both Schrems II and GDPR legal basis requirements. When identifying data is desired, Variant Twins can be used by a data controller in the EU to relink to identifying data to provide the desired details. Examples of this business application include Marketing Automation (in the form of Lead Prospecting, Lead Identification, Upsells or Cross-Sells, and Conversion); Advanced Analytics, ML and AI; and Follow-the-sun (24X7) processing or support.
Multi-Organisation Coordinated Activities
Anonos Data Embassy software enables the evaluation of overlap or complement between and among different data sets at a non-identifying but information-rich level by creating Variant Twins that reflect discrete but sufficiently large groups (Microsegments) reflecting homogenous characteristics, behaviours, etc., to enable analysis without revealing identities. Examples of potential multi-organisation coordinated activities include potential combinations, mergers and acquisitions, joint ventures, coordinated marketing campaigns, etc. Organisations can compare data sets without revealing personal data to determine if there is sufficient rationale to justify coordinated activities, provided that (i) there is a legal basis to do so under Article 6, and (ii) the activity satisfies derogation requirements or is localised within the EEA or Equivalency Countries.
HR data is used for many purposes, some of which are addressable using Anonos Data Embassy enabled GDPR Pseudonymisation. For example, Anonos Variant Twins may be used to support Talent Analytics by enabling the evaluation of patterns among groups of people that are homogeneous enough to reflect unique attributes or behaviours or capabilities but large enough that they don’t reveal individual identities. The individuals represented by each Variant Twin may then be disclosed provided (i) there is a legal basis to do so under GDPR Article 6, and (ii) the processing satisfies derogation requirements or is localised within the EEA or Equivalency Countries.
Anonos enables companies to build protected Variant Twin versions of data assets for privacy-preserving sharing with third parties in a private and compliant manner so that machine learning & artificial intelligence code, outsourced risk models, algorithms, software and other data-driven products can be evaluated to make timely decisions on licensing, investment or acquisition.
An example of Third-Party Evaluation is “API monetization,” involving generating revenues from using APIs. APIs are an iteration of business development, where having well-developed APIs establishes and maintains relationships in a digital economy. Having private and compliant Variant Twin versions of data assets available for API’s provides maximum value when considering New Data Economy opportunities.
Business Continuity for US Data Flows
Increasingly, US state privacy laws (e.g., California, Colorado, and Virginia) require the deletion of identifying data from both an organisation’s systems as well as all third parties to whom data was shared, in response to “do not sell my data requests.” However, these laws include exceptions for properly transformed versions of data in compliance with statutory requirements for protection, which are satisfied using Anonos Data Embassy software.
Transform local and global economies by leveraging Fourth Industrial Revolution (4IR) technologies to reimagine consent and permission mechanisms differently. See World Economic Forum article Data marketplaces can transform economies. Here’s how.18
Avoid Criminal and Personal Liability
Section 171 of the UK version of the GDPR makes it a criminal offence to knowingly or recklessly re-identify information that is de-identified without permission. Section 198 provides that executives and Board members can be found personally liable for failing to comply with data protection requirements “by consent, connivance, or … neglect.” Compliance with Data Protection by Design and by Default obligations under Article 25 and Security obligations under Article 32 using GDPR Pseudonymisation helps establish the standard of care necessary to avoid liability.
Synthetic Data Replacement
Organizations have historically used synthetic data for many leading data use cases, but with limitations. Synthetic data can't be joined with other data sets, so for each iteration of the data journey new synthetic datasets have to be generated. This slows down and restricts the analytical generation process. Also, by definition, synthetic data is not real so you can never create actionable insights at an individual record level. Creating a Variant Twin with Data Embassy software to a defined level of protection can replace the synthetic data and create protected assets that can be combined, modeled, or enriched but still hold the ability to deliver granular actionable insights.