5G and GDPR
Just Because You Can Capture Data Does Not Mean You Can Use It

5G with IEEE Webinar
Presentation Transcript
Gary LaFever Gary LaFever
CEO & Co-Founder
Dr. Alison Knight Dr. Alison Knight
University of Southampton (UK)
Senior Legal Adviser
5G and GDPR – Just Because You Can Capture Data Does Not Mean You Can Use It
About the Webinar:

5G technologies will make it possible to interconnect with billions of devices and sensors globally, further fueling the growth of large scale dynamic decentralised/distributed data processing business models. These dynamic models will generate significant business opportunities as well as potential liabilities from failure to comply with centralised data protection requirements like those under the EU General Data Protection Regulation (GDPR). The GDPR, which goes into effect on May 25, 2018, includes fines as high as 4% of annual global gross revenues for data controllers and processors who fail to satisfy its requirements. Learn how new dynamic data protection requirements under the GDPR can help to resolve these conflicts and help to facilitate adoption of 5G capabilities.

About the Speakers

Dr. Alison Knight PhD, - University of Southampton (UK) Senior Legal Adviser: Dr. Knight is a senior compliance lawyer and academic researcher in cyber, data protection, privacy laws, and competition / antitrust laws. Her research interests revolve around risk management and legal compliance, in particular the role law can play in virtual identity assurance, and personal data protection, along with data analytics and emerging technologies. She also trains companies on data ethics/governance and GDPR compliance.

Gary LaFever, Anonos - CEO & Co-Founder: Gary LaFever is Chief Executive Officer at Anonos. A foundational underpinning of Anonos' patented BigPrivacy technology is that “Big Data” requires a new scalable, privacy-preserving approach to enable organisations to process data while managing security and privacy concerns. BigPrivacy dynamic pseudonymisation technology uniquely supports the transformative shift in data protection from policy-only approaches to a technology-based approach that granularly enforces data protection policies as now required under the GDPR and other evolving data protection regimes.
5G and GDPR Just Because You Can Capture Data Does Not Mean You Can Use It
Peggy Matson (Washington University)
[00:06] Good morning. Good afternoon. Good evening. Welcome. My name is Peggy Matson. I'm the Program Director and Clinical Professor in the engineering school at Washington University in St. Louis. I do o a little teaching at Northwestern University as well in my spare time. I’m also Founding Principal of Tech Strategies Group and co-chair of this IEEE 5G Webinar Series. I'd like to welcome you to today's webinar, the 10th in our 5G series.

[00:33] So, you may recall, as we've discussed in some recent webinars, IoT has burst onto the scene and IoT is growing exponentially. You can see it in the startups in the growth of those companies that are in the space and the deployment of 5G networks promises to only accelerate that growth. So, with the explosive growth of IoT comes the explosive growth of data, and one of the biggest challenges in the use of data is using that data in aggregate, really using it to get the intelligence out of it but while preserving the security and privacy of the data almost independently of who owns the data.

[01:10] As some of you have heard of GDPR, The UK is taking the lead role in defining the regulation to that aim, but a critical question remains for many: “What does that technology really look like that’s solving their problem exactly what GDPR is trying to regulate for?” And today, I'm really pleased to introduce today's speakers to talk to that very question. Dr Alison Knight and Gary LaFever. Alison is out of the University of Southampton in the UK. So, she's sitting exactly where the hotbed is. She's a Senior Adviser, and she has a dual role of Academic Researcher in cyber data protection, privacy laws, and antitrust, and she has a particular interest and expertise in data ethics and GDPR.

[02:00] Gary is CEO and co-founder of Anonos. Anonos is an exciting 6-year-old US-based company with proprietary technology that helps out the very problem that GDPR is also addressing and that's protecting the privacy and quite frankly the security of our data. So, just a reminder, we've dedicated the last 20 minutes or so to Q&A. I encourage you to submit a question anytime during the presentation. I'll be reading them so that the speakers don't have to stop and read them before they answer at the end. So, I'll be moderating. Type in the question anytime, and I'll get to as many as we possibly can. Now, I'd like to hand the call over to our featured speaker. At least, Gary's going to start off. Gary, all yours.
Gary LaFever (Anonos)
[02:44] Peggy, thank you so much for that introduction. And as Peggy mentioned, we're very, very happy and actually honored to have Dr. Alison Knight with us. Dr. Alison is the Senior Legal Adviser at the University of Southampton, but she actually did her PhD on this very topic. So, she's very well knowledgeable in this space.
Data-Driven General Analysis and the GDPR: Friends or Foes?
[03:05] The next slide as we begin this, what we're really talking about here today is data-driven analysis and 5G makes a ton more information available, as we all know. More interconnectivity amongst that information, as well as just mounds of additional information and the real opportunity for industrial strength applications. And this is great. It provides awesome new opportunities for innovation. But it also can create unintended consequences. And so, the discussion today is about with this data-driven analysis, is the GDPR a friend or foe? And we think you'll find it's actually both but much more of a friend than a foe. But what it does require and Alison will go into great detail on this is that it requires something much more than just privacy by design, which is something that you may have heard of. It actually has very specific requirements for Pseudonymisation and data protection by design and by default, which is all about protecting data at the earliest opportunity. And so, we will be discussing the constraints and restrictions that the GDPR puts on ongoing use of data, some of which may surprise you. But the real encouraging part is the opportunities for increased use and ongoing innovation that it allows for as well. So with that, Alison, please. Thank you.
Dr Alison Knight PhD (University of Southampton)
[04:28] Hi, everybody! It's a great pleasure to talk to you today on this webinar. In particular, 5G is the hot topic of the moment in comms and also if you've never been on another planet, you'll have heard that the EU General Data Protection Regulation or the GDPR is really the hot topic in privacy law. In fact, it's the gold standard now internationally and is setting the lead for how data privacy and data protection law should be in the world around. Now, of course, in this world where we have so much data and as Gary and as Peggy mentioned the Internet of Things, so much of this data is going to relate to people. And so, we have this potential and I'm going to talk a little bit about what the concept of personal data actually means, but we have the potential that data protection and privacy laws apply.

[05:24] So, really, a big question that has guided my career is really thinking about how do we do amazing things with this data? How can we really drill down and get value and create impact in the way that we want to? And yet, how at the same time can we protect rights in data? So, we don't talk anymore about ownership. That's not how we talk about ownership in data in a legal sense, but we do talk about that people have rights in that data and that's a big scary concept if you're coming to this new. So, it's time to think about: “Are these two things incompatible?” Well, in some ways though some people have conceived them as being in stark contrast, but what we'll see actually is if approached in the right way it's more of a sliding scale.

[06:11] And so, we have to find what's the right balance between those two and how can we marry them together in a friendly way? So, we need to learn the tools and the roadmap for doing that. Now, I am a researcher, but I'm also a pragmatist. I've been banking in my own institution as you can imagine a very big university with lots of personal data. In fact, data is oil at that university. It's a key resource. So, we have to handle it very carefully. We want to make people have trust and know that we tend to do the right thing with their data, and I'm helping implement the GDPR.

[06:48] So, what I'm going to talk today is about it's not just in a theoretical sense, but really what are the tools that I use? How am I doing this on the ground? And I want to share that with you because I think once you click about how to really do this thing, it can be a bit of a revelation and it can also be very encouraging. We're not seeing the GDPR so much as an enemy to what we're doing. We actually see that if we approach it in the right way, we can get great benefits from it. So, we have to see it as much as an organizational enabler rather than just an organizational deterrent. That's the way we're moving. Let's see it as a competitive advantage in the way that we do things.

[07:30] Now, I'm thinking also as someone who's been working with SMEs and startups and very big companies who want to share that data. We've been trying to create a European data innovation ecosystem. So, really, over the last couple of years, we've actually been learning and I mean this is what I'm going to present to you as going to be the findings that I found about how do we provide that real sandpit in which data innovation can take place in a safe way and I've been planning and thinking because I know what's happening in the GDPR. I knew what was going to come, what's riding next on 25th of May. So, this is what I want to do is to present my findings to show you the roadmap that I found. So, if we can move to the next slide, please.
“There is no doubt the huge potential that creative use of data could have, but the price of innovation does not need to be the erosion of fundamental privacy rights.”
[08:19] These are the words of Elizabeth Denham. She works as the Commissioner in the UK. She's got huge amounts of expertise and she comes in as someone who realizes the potential for great data use. So, as you can see from this quote, she said: “There's no doubt the huge potential that creative use of data could have.” So the word is “could” here. “But the price of innovation does not need to be the erosion of fundamental privacy rights.” So, what she's saying is you can get it right. You can get these benefits, and achieving that doesn't have to mean you're talking around breaking the data protection law. She says she's giving us an opportunity, a white flag to say: “You know, this stuff is okay. We can achieve it, but there are lessons to be learned from the people who have done it wrong.”

[09:09] So, the quote was actually used in the context of a decision by the Information Commissioner in the UK that a Royal Free Health Trust had actually broken laws when what it was trying to do was try to test out some really innovative things around producing an app to detect kidney disease. So, really, a beneficial purpose and it had provided 1.6 million patient details to keep Google DeepMind for analysis. And she was saying: “You know, it's a great project. But hang on, everyone, you've done things which are wrong.” Broadly, they have relied on implied consent, and I'm going to talk a bit about that. It was the wrong lawful basis. That's the terminology we use under data protection law. Secondly, there was a disproportionate amount of data, the sheer amount and the fact that some of it hadn't been anonymised. I’m going to talk about the word “anonymisation” in a bit. It was actually sort of real identifiable health data.

[10:11] And third of all, they hadn't really thought about the impact of what the analytics was going to be right from the start of the project. So, basically, they hadn't provided enough transparency and there wasn't enough evidence that what they were doing was within the reasonable expectations of the people whose data was used. And so, they fell on many marks but they didn't have to be. So, she was very kindly in the pit making sure, of course, the companies had to be audited, but she was giving us a flag that we can do this. But let's get it the right way around in particular as GDPR is about to approach and raise the bar. So, if we can move to the next slide, please.
Two Different Approaches to Data Protection
[10:54] So I guess the key thing to say here is that that decision was actually taken under the existing law. So, we have the EU Data Protection Directive, which has been implemented in the UK. And traditionally, these rules came in 20 years ago. This is when we lived in a world of information, not a world of data. So, this is when we're in a very static environment and that was a way that the law was out. It was easier. It is more dangerous. It’s static. It’s going to take a piece of legislation to deal with data flows of today and the ways that like water it can flow and it has a different relationship. We can play a different role as controller or as processor depending on the very purposes for which we want to process that data. And this is really the driver of why the GDPR was introduced and it's a friend to us in many ways as data protection lawyers and people want to comply.

[11:51] Now, that may come as a surprise to you, but I'll tell you why. It’s because it recognizes that we're in an environment where there is a lot of risk. We live in this risk, but it says that's okay. It recognizes that use of the word “risk.” The trick here is to recognize that risk is a very dynamic concept. So, we can't assume that we do data protection and forget. We've got to think that GDPR is for the 25th of May and not after that. But also, it's about risk mitigation and it’s those keywords that will give us a complex that we need to assess and we need to consider in a dynamic transitive sense that we do data protection as we do data processing of our data cycle. But we adapt to it as well and that's okay. The GDPR recognizes and it has a ton of little bits. I'm going to explain that a bit more as we go along. So, if we can move to the next slide then, please.
GDPR Dynamic/Adaptive Approach
[12:47] So, let me drill down a little bit into what this risk or dynamic/adaptive approach actually is. Now, I want to sum it up in three main points. So, the first point there is the key headline point that I've been proposing is the fact that we can co-exist the two - great data protection and also great data innovation but we want to be able to have that legal comfort. We want to know if the head of the organizations are doing things right and yet we want to have our cake and we want to eat it. We want to get great data. So, that’s the headline. So, what sits beneath that?

[13:24] Well, the second point is that that doesn't detract from what we're doing normally when we do risk assessment. We really need to understand who are the actors involved in risk assessment? What exactly is at risk with the data in particular that we want to use here? Why? Why is it very key here? What is the purpose? Now, that's a word that I'd like to come back to again and again when it comes to GDPR. It’s not as static, and purpose is really indicative of the fact that it's dynamic. What do I want to do with my data? Now, of course, you may not know that right at the beginning with all these creative things you want to do, but it's a question that you should be asking as your projects progress. And of course, we want to know how. What's the best way that we give access to data to the people who need it, but we ensure that those people who don't and we can mean external from external threats but also, of course, we don't want people in our organizations to have access to data when they don't need to.

[14:20] So, we need to think about those types of questions. But we need to combine them with questions around risk mitigation and the right type of risk mitigation. So, coming back to this terminology of purpose, we want to make sure that when we start out, we say to ourselves: “What do we want to achieve with our data analytics?” Now, that purpose and that idea of what we can do with data will change and evolve. But really, as we go over time periods we want to keep in mind that there's a sense of achievement of what we want to do and almost preserve our purpose. This is something I’m going to explain in a minute, but this is something that the GDPR also views and there are very good reasons for that as I’ll explain. But the fact is that these are accompanied by two other really important safeguards. The fact that you are protected as you go along to mitigate those risks as your purpose evolve and as your data analytics evolve.

[15:20] But also, we want to make sure that we’re using the right type of data. No one wants to use bad data and there are a lot of bad data out there and up there but also data that the bad had been stripped away. We want to use great data but get to manage that in the right away and ensure that we can demonstrate that. That’s what the principle of accountability - the headline principle under GDPR is that we must be able to demonstrate managing your data properly. And so, the third step here is about Dynamic Pseudonymisation. Now with Pseudonymisation, Gary is going to talk a bit more about this. But really, most people haven’t come across what Pseudonymisation means. It means that you’re taking out direct identifiers from a personal data or a personal dataset and you’re replacing them with pseudonyms.

[16:12] Now, one of the big changes is on the GDPR says that if my data and even if you keep those direct identifiers in a very big facility, you still could be perceived to be dealing with personal data. And of course, the processing of personal data triggers the GDPR. However, what it doesn't say is that that means that always it will be personal data. It says with the right mitigatory safeguards in place - so, the technical, the legal, and the organizational - you can achieve that state of non-personal data, but not just that. Dynamic Pseudonymisation done in the right way can actually facilitate achieving the GDPR. It can be a win-win and we’re going to talk more about that. The reason is because the controller retains that ability to ensure that the linkability in the dataset is set in relation to the purpose for what you want to achieve. It means that you're actually embedding the right accountability to demonstrate that you're complying with the two main bits of the GDPR - fair and lawful processing under GDPR Article 5 and Article 6. Can I move to the next slide, please?
Data Controllers CAN Engage in GDPR Compliant Analytics
[17:26] So yeah, it's worth repeating again here. Data controllers can engage in GDPR-compliant analytics if they take the right approach. And this approach, I'm suggesting needs to be a dynamic approach and it needs to be one that takes into account all the different enablers in the GDPR. So, really, I'm going to explain enablers but it's not enough to sit in with our lawyers now and to suggest that we have to do things the same way we've done before. We have to be proactive and we have to take action, but we have to take the right type of action and we need to pick the type of action that works for us in the sense that it's going to do the job for us so we can sleep easy at night knowing that it's not a risk that's out of control. But actually, we have some comfort that we can demonstrate that we're actually being GDPR-compliant. If I can move to the next slide, please.
The Future of Analysis: Consent?
[18:20] So, I guess the next question that you're thinking about is: “Well, how do I actually do this?” And you're probably also thinking: “Well, you know, Alison, I've heard all that consent. This is one thing that comes up when I hear about GDPR. Surely, consent is going to be raised now, isn't it? It’s going to be more difficult? Where does this land me when I want to do all these great things with data?” Well, you’re right on one count. The GDPR does raise the standard of consent. It now has to be freely given and specific. It has to be informed and unambiguous. And the driver behind that from the European level is the fact that it really needs to give people - so, the data subjects - real choice and control. That’s where the legislators are heading. We need to be able to get individual control. They need to be in the driver's seat when it comes to them consenting. And actually, that's really, really difficult when you're thinking about generalized analytics.

[19:16] So, how do you get very specific, very informed consent when you're not quite sure what you want to do with that data and it's not just that. It makes it more complicated because as you see from the second bullet, if you rely upon consent for when you originally get that taken, you may be thinking as an organization: “Well, I want to do really amazing things with this data.” And your legal person comes back and says: “Well, hang on. You've got consent for this but this is tying our hands behind our backs. We can't really do much else apart from getting consent for them to do all these analytics.” And you start to see that actually it's a real straightjacket for organizations to go down that consent route.

[19:59] And as I put in the third bullet, you'll actually see that the leading EU regulator of data protection - the Article 29 Working Party, which is now being transformed into the European Data Protection Board (EDPB) under the GDPR, they've actually said and this has been backed up by rulings that have said that it's not enough in the future or even now to really just talk about the fact that you want to get someone's consent to carry out generalized analytics, generalized research, or to do great things even if you dress it up to the data subject. That's not going to satisfy all four levels of the GDPR around getting specific requirements when you’re obtaining consent from someone. Can I have the next slide, please?
The Future of Analysis: Legitimate Interest!
[20:47] So, of course, that makes us think: “Hmm, well, so then what do we do? How do we go forward?” A lot of people are so enwrapped by their terminology of consent that they're not quite sure what does the GDPR permits us to do other than via consent. But we do have a lot of tools here because we have to remember that there are other what’s called lawful bases a part from consent that the GDPR says are equally important. Pay attention to these. These allow you to do things. The real difference here is the fact that whereas we’re thinking about obtaining consent is putting the individual in the driver’s seat. You have to give that information so they really know what they’re consenting to. There is an alternative basis and one of these is legitimate interest. It says that you don't need to get consent and the very reason is because there are so many safeguards built into this lawful basis. The criteria that you need to meet to satisfy it, that actually it's enough you meeting data protection by the very fact that you're meeting these criteria.

[22:02] So, let me explain a bit. For legitimate interest, it says that there are three conditions that you need to satisfy. So, first of all, you must have a legitimate interest. That sounds like what it is. But there are some times we'd like to think that we have a legitimate interest in all organizations to do personal data processing. But really, it's got to be of the right kind but it's got to exist. So, there's got to be a real benefit that can be driven and it's got to be the benefit of the right people involved. But really, the second step is really key here because what it says it's not just enough to have a genuine need for something which is generally beneficial from your data processing, but also that it must be proportionate. So, this is a key aspect that fits into everything to do with GDPR is that you must ensure that you have data minimization. You're really using only the data you need.

[22:57] And the third step is that there must be a balancing test that you’re showing that you’ve thought about the interests of the data subject and to carefully consider them alongside your own interests and that it’s really important here that you’ve put in the right technical and organizational safeguards and it specifically mentions Pseudonymisation here in place to balance the interest of these parties. So, it's saying: “You know, we'd love to rely upon you demonstrating that even with this test and of course you do have to document it.” But not just that. They're saying: “You know, the test integrates the fact that there must be the right safeguards in place.” But it gives you a clue to those including things like Pseudonymisation. I’m going to explain why that’s important in a moment. So, if I could have the next slide, please.
The Future of Analysis
[23:48] So, really, we're talking about the future of analysis here under the GDPR. It’s something where you’re actually going to have to embed the right data protection into your operations through data protection by design but also by default. Now, this is actually a mandatory requirement under the GDPR and it might sound quite scary, but actually it's a great mechanism because what it means is if you can embed data protection principles so the right set of questions and the right type of answers about why you want to use the data for what purposes and how are you going to protect people, you actually satisfy the very principles that the GDPR is there to ensure you satisfy it such as purpose limitation that you’re not going to be using data for a completely different purpose than the one that you originally started out and that people have a reasonable expectation that you’re using their data to achieve and also data minimization. That you’re really restraining it. You’re not just saying we can use everything, but you’re restraining it in relation to the purpose. So, this reference to Article 5 is very important because what it says is that it’s a purpose limitation principle and it says that data must be collected for explicit and legitimate purposes and not further process in ways incompatible with those purposes.

[25:15] So, what they’re saying here is that really you do need to find some transparency to people about what you're going to do with their data and the purposes when you’re processing it. Not just when you’re collecting it the first time but when you’re reusing it the second time and potentially the third and the fourth and so on. But it’s not like consent where you need to be very, very explicit and tell people what you’re going to do. It’s saying: “As long as you can specify to people the basic transparency and providing privacy notices but as long as you can set the expectations of people about broadly what you’re going to do with the data and the benefits that’s going to increase with them, then it’s okay to feel that you’re suddenly being dragged back into relying upon consent again.” So, it's showing us that there is flexibility built into GDPR. As I say and as I go on, we can see it being actually very holistic a piece of legislation. So, if I can move on to the next slide, please.
Data-Driven General Analysis
[26:20] So, what we see now and this is just a recap is that you can carry out data-driven general analysis and that's okay. You can as long as you can specify to people what's the scope of what you want to do here. What are the potential consequences if you get to that point when you're thinking about actually applying consequences and making decision making after you've done your great analytics? So, as long as you stop after the general analysis is completed to take a restock at that point, you can go forward and you can. It isn’t impossible to carry out analytics, but it doesn’t mean that you need to. You need to really be keeping an eye upon what you’re doing throughout your analysis. As I say, it’s not good enough to say you can anonymise and schedule it so that you can do data protection and forget. But you must keep an eye on it and I’m going to break that down in a minute into different steps and really bear in mind at what point might these actually have very direct consequences for the person to ensure compatibility.
Dynamic Data Governance for Analysis
[27:32] So really, what I just want to summarize and you must have a justification at the start. The best justification here is legitimate interest. And then, when you start your secondary analytics, then you must have a lawful basis. But not just that, there must be compatibility. Now, if you’re carrying out research like the type I do with academic research, that compatibility is ingrained into the rules you can satisfy that. But when you’re relying upon legitimate interest, you really need to show that the reasonable expectations of people are aligned. And in particular, as I say in stage three, you need to make sure that if you’re thinking about carrying out a decision to sometimes our analytics work really well and then we think: “Well, what next? How do I want to apply this in an organizational sense?” And so, we need to think about the legal basis and compatibility at each stage. And potentially, we might want to have consent at the third stage but we have to set that up at that point.
Dynamic Data Governance for Analysis: Impact Assessments
[28:31] And I guess the thing that you’ve probably been guessing that what I’m trying to say is actually what it comes down to is we need to think about impact assessments and we need to think about them at the very different stages at which we carry out analytics. So, sometimes it is used for different purposes. So, you may be aware that there is a requirement to carry out data protection impact assessments under Article 35 of GDPR where there is a high risk to people's rights. Well, it may be. It’s not just a formal requirement here carrying out data protection impact assessments whether it’s a full-length one or a PAD accession. So, before you can start analytics, you want to think about the type of data quality. Are you minimizing it relative to your purpose? Again, going back to purpose. Are you ensuring the security? And of course, at a later stage, we want to revisit the impact, but we don’t want to just keep the faith. We need to think about what changed relative to the purpose but then what are the consequences and what’s going to happen. And that’s actually defined into actually thinking and breaking it down into the different stages of what you’re going to do with your data. If I can move on to the next slide, please.
[29:43] I hope I've really given you a taste of what it’s like about doing analytics with a big organization where we're really dependent as I say about data as the oil to drive our organization. GDPR seems like a massive challenge. But actually, you can make it work in the right way. And Dynamic Pseudonymisation, which Gary's going to talk about in a moment, actually is a way to proactively facilitate and comply with the law. Because it works in tandem with legitimate interests. It works in tandem also with researchers doing data whether you're a commercial organization, as long as you bear in mind that there are times when you need to reassess and get back to this. So, really, the key message here is that the very mechanisms were locking or I want to call the enabling functions of GDPR are actually really robust governance that you need to be able to tell the organizations we need to think about these things from the start and we need to make sure that everyone in the organization is aware that this is not something of an afterthought. No one wants to get hit by the massive fines of the GDPR, and the way to do that is to leverage its functionality in the right way to ensure that we have purpose permission, ensure them that we have great data management, and ensure them that we can get a real great data utility out of what we want to do with our analytics.
Data-Driven General Analysis & the GDPR: Friend or Foes?
[31:13] So, thanks for listening to me. I'm going to hand it over to Gary now for his presentation. Just a matter of point, my colleague and I, we've written a paper on this. If you're interested, please don't hesitate to email me at my address here and I'm very happy to give you a preview of that paper and I'd really love to engage in some debate with people who are fascinated by these issues. So, thanks very much.
Enable Maximum Value and Use of Data Compliant with Evolving Regulations
Gary LaFever (Anonos)
[31:39] Thank you, Alison. Thank you very much for that. So, I can summarize what I'm about to go over as follows.
What Has Changed?
[31:47] You can do everything under the GDPR that you can do today and we would argue even more, but you have to do it differently. And that's the key. The GDPR provides tools to continue to innovate even with the increased data, speed, and capabilities that 5G makes possible. You just have to do it differently. The term that we use and you won't find this in the GDPR is “legal context” and what we mean by this is it’s the first step in the data-driven journey. It’s no longer just a technology step. It has to be technology tied in with a legal context so that you ensure that you have the legal basis to make use of data, that you're putting in place the technical and organizational safeguards necessary to mitigate risks to data subjects, and the way that the GDPR enables you to do this is a concept again using our language that we would call a “data transformation layer.”
Why Has It Changed?
[32:45] And the next slide highlights what's changed. Why are things different than they used to be in the past? And it's because, as Alison pointed out, our processing used to be about information, which was a static concept. Now it's about data, which is a dynamic concept. And so, the old fashioned approaches to data protection created an unsustainable conflict, a zero-sum game where any advantage to business is at the cost of compliance and vice versa.
Why Has It Changed?
[33:17] And this next slide highlights that traditional approaches to data protection simply were not created to do these three things - to protect against unauthorized re-identification or linkages under the mosaic effect while enabling controlled re-linkability so as to increase data sharing opportunities. It's not a surprise. They were invented decades ago.
The GDPR Solution
[33:39] But the GDPR under the next slide highlights that in fact you can comply and enable and maximize use if you use the tools that the GDPR enables.
What is the Power of 5G
[33:52] So, the next slide highlights what's the power of the 5G is also the biggest risk of the 5G. Massive amounts of data in real time supporting things like artificial intelligence and other uses, but they require controls. And this highlights again another perspective on this tension.
Technology: Moving towards decentralized/distributed processing
[34:11] This next slide highlights it has 5G at the middle. And what it's showing is the decentralized distributed nature of processing that's possible and it's accelerated with 5G. Everything from the cloud to analytics to IoT to blockchain - all of it.
Compliance: Moving towards centralized/individualized concepts of privacy due to government legal mandates and individual awareness
[34:26] But compare that with the next slide, which is showing the need for effective governance and privacy and security of a centralized control function. So, you have the contrast between an outward decentralized distributed approach to processing conflicting with the requirement for a centralized individualized concept of privacy.
Pseudonymisation & Data Protection by Design and by Default = Dynamic centralized compliance for decentralized processes
[34:44] And yet, as the next slide highlights, the GDPR actually provides for a means of reconciling these two. And there are two concepts here. Dynamic Pseudonymisation - and that term “Pseudonymisation” has a new definition under the GDPR that has never existed before. We will touch upon that. And another term “Data Protection by Design and by Default” is yet another term that has not existed prior to the GDPR.
The New Reality
[35:07] And the next slide highlights why these new approaches are necessary and that's because the balance of risk has shifted from data subjects to data controllers. We haven't mentioned it here, and you're probably well aware of it, but the GDPR has very large fines up to 4% of a company's consolidated gross global revenues for violation. It also enables data controllers to effectively bring class action lawsuits for the first time. Why? Because the decision has been made, I think rightfully so particularly with things like 5G that even increases by a magnitude the amount of data available about all of us that the data controllers have to put safeguards in place.
GDPR = State of the Art
[35:50] And ironically or perhaps not ironically, the next slide highlights in this respect the GDPR is in fact the state of the art and the EU has taken the lead on this and is showing the rest of the world how it's to be done because this is not about stifling innovation. It's not about limiting the use of data. It's about doing it in a way that's privacy respectful. And again, these two tools - Pseudonymisation and Data Protection by Design and by Default enable that to happen.
Data Transformation Layer
[36:18] So, in the next slide, we're going to take a look at this concept of a data transformation layer. And this is not something that was necessarily required before but again, as Alison said, we've moved from a concept of information to a concept of data flows and different uses of data at different times for different purposes by different people in different places may need different varying degrees of identifiable data. And so, if you take the point solutions on the left (which again have been around for decades) and you take the data uses on the right (which continue to evolve and become more dynamic), what is needed is something that's between the two that enables for the dynamism.
Legal Context
[36:57] And the next slide takes you even a further step deeper and this is important to realize. This concept of “legal context” embodies within it the need for these technical and organizational safeguards. So, again, what we like to say is the first step of the data-driven journey is no longer just technology. It's technology and legal context. You may not have the legal right to ingest the input data if you don't do it correctly. You may not have a legal right to output or to provide data to third parties if you don't do it legally. It's no longer enough to ask: “Can I technologically do it?” You have to determine and confirm you can legally do it.
What Legal Context is Required?
[37:41] So, the next two slides highlight very quickly what we mean by this. Legal context needs to take into account: “Is this being used internally? Is it being used externally? Is it the purpose for which data was collected the primary purpose or is it for a secondary purpose?” You have to first ask: “Do you even have the legal rights to data?” Which is not a question that you often had to ask before. But as we've noted and as Alison went through, generalized consent just doesn't cut it anymore. You need the safeguards and those can be technical and organizational.
What Legal Context is Required?
[38:15] So, the next slide just goes a little more deeper into this particularly with respect to 5G. You have to ask yourself these questions. Oftentimes, when it comes to primary purpose, you're looking at contract or consent, and your primary focus is: “Have I put adequate data security measures in place? Customers that I could do this with the data. That's what I'm doing and nothing else, but I still need to have good security.” When you move into secondary processing, as Alison pointed out, it's quite possible and likely even that contract or consent will not give you that right. But legitimate interest can. And here's where this trifecta as it were of data protection techniques - Pseudonymisation as newly defined under the GDPR and Data Protection by Design and by Default as newly defined under the GDPR enable a bedrock of EU data protection, which is Data Minimization.
Six Important GDPR Facts
[39:07] So, let's hit in the next slide upon six important GDPR facts, and we'll go through each of these. Anonymisation is not what it used to be, and just because you're compliant with the GDPR doesn't mean you can use the data the way you want. Existing technical and organizational safeguards - the new safeguards that are enabled by Pseudonymisation enable you to make these types of uses whereas traditional don't and then we'll go into the new state of the art.
1. Anonymisation is not what it used to be
[39:33] So, the next slide. Anonymisation is not what it used to be. If you take different datasets and combine them, you actually reduce with each combination the level of uncertainty or entropy as to who people are represented by if identities have been masked or replaced with a static identifier. This is a famous study by Harvard professors that, in fact, if you get three purportedly anonymous datasets from the US Census, because everyone's name has been replaced with the same static token, you can identify up to 87% of the US population by name. Bottomline, static tokenization is not anonymous. And as you’ll learn, it's not even pseudonymous.
2. Just because you're GDPR-compliant does not mean you can use your data.
[40:22] Next slide. Second point. Just because you're GDPR-compliant does not mean you can use your data. Organizations are oftentimes surprised that what they could do up to midnight on May 24th totally legally, the following day on May 25th and forward can become illegal. And it's fundamentally because broad based consent is no longer a viable legal basis for many desired data use. And again, the focus here is on generalized analysis, which as Alison walked through is just very difficult if not impossible to satisfy with consent. Many organizations are coming to the conclusion we think improperly that they actually are going to have to delete or stop data usage, and that mindset is only because they have not embraced the new approaches that the GDPR makes possible.
3. You need technical and organizational safeguards enabled by Pseudonymisation
[41:14] The next slide highlights what we've identified as six legal safe havens. This is important. This does not represent workarounds or means to bypass the GDPR. Quite to the contrary. By embracing the technical and organizational measures that the GDPR sets forth, oftentimes centered around Pseudonymisation and data protection by design and by default, you can continue to make use of data. But as I started out by saying, you can continue to do everything you do today and perhaps even more, but you have to do it differently in recognition that the risk has moved from the data subject to the data controller.
4. Traditional Data Protection Techniques Do Not Support New Legal Bases
[41:57] And so, the next slide highlights the challenge that this represents for existing approaches. Anonymisation is a well overused term. Under the EU law, it means specifically you can never re-link. This term is used very differently in the US and elsewhere and sometimes refers to just general obscuring of identity and personal data. That is not what anonymisation means. And the reason there's a dotted line across the slide is first, if you truly have anonymised your data, you're exempt from the GDPR and it doesn't even apply. But the word there is “truly.” If you can ever re-link that data, if you can infer a single ad or link the identity of a data subject, you're not anonymous. You quickly become back under the scope of the GDPR and you probably don't have the requisite safeguards. So, anonymity is actually a high risk approach to take.

[42:50] So, then you look at the next thing, generalization. Differential privacy is probably the most prominent example of that. It does work, but you have to remember it's designed to prevent re-linking and combination of data. And so, if you're generalizing data and still re-linking, you can't point to generalization as a safeguard because that's not what it was intended to do. It is a static approach to protection. Static tokenization is grayed out here for the reason that we touched upon. It doesn't really work. And anytime you hear somebody use the term “Pseudo-Anonymisation,” run as fast and as far as you can because there's no such thing. If anonymisation means the impossibility of re-linking, inferring, single out, and linking, you can't kind of do that. It's an absolute yes or no. But that drives you to this powerful term “Pseudonymisation.” Pseudonymisation, as we'll go into a little more detail on, is newly defined under the GDPR and it allows you to do all kinds of things including satisfying new legal basis other than consent or contract.
4. Traditional Data Protection Techniques Do Not Support New Legal Bases
[43:54] And the next slide you've seen before but I’ll just bring it back up so as not to be surprised that these old approaches to technology don't do these three things - protecting against unauthorized linkage attacks (the mosaic effect that's often referred to), while enabling controlled likeability, and therefore increasing sharing of data. That's not what they were designed to do.
5. Data Controllers and Processors Are Now Jointly and Severally Liable (up to 4% Global Rev) and Held to the State of the Art
[44:16] The next slide highlights why this is important. We've touched upon this. The reality is, as evidenced in the next slide, data controllers and processors are now jointly and severally liable. So, the reality is, it's important for you to be a good partner and do what you do correctly. And if you don't, you put your partners at risk. So, this is something that has not existed before and makes it highly relevant.
6. There is a New State of the Art: Technology That Balances Data Use and Protection
[44:46] But as we've indicated and as the next slide highlights, there is a new state of the art. The reality is Pseudonymisation and data protection by design and by default enable fine grain controls so you can do exactly what Alison said. You can do that impact assessment at different times. You can assess the exposure and risk and liability that you might have and whether or not the rights of the data subjects are being adequately safeguarded.
6. There is a New State of the Art: Pseudonymisation
[45:15] So, this next slide, I think is a very powerful one. And it shows what Pseudonymisation means. So, you have on the right hand side, the identity of an individual and you have on the left hand side the information value. The brick wall between is highlighting that you need to have a separation between the two and the bricked courtyard is where the information necessary to re-identify individuals is kept and stored under lock and key. So, again, identity on the one side of the brick wall and information value on the other. It's okay that you have the means of re-identifying, but you have to show that you need special access into that courtyard.
6. There is a New State of the Art: Pseudonymisation
[46:00] So, let's go to the next slide and show the problem. The next slide highlights if you’re using static tokens you don't satisfy the requirement of the courtyard because if I have replaced a data element with the same token each time, I don't need to go into the courtyard. I know who they are. I can see that the use of the same name replaced by the same token equals a person's identity without access to any kind of mapping table or key. That's what fails the test.
6. There is a New State of the Art: Data Protection by Design and by Default
[46:33] But the good news as mentioned in the next slide, there is a new state of the art. And the new state of the art is the GDPR way using data protection by design and by default and Pseudonymisation. You'll notice on the left hand side, you have the vibrant blue, which represents usability of data. On the right hand side, you have the vibrant green. But look at the difference. The left hand side was reflective of a static information use. The data is either fully usable or it's fully protected. But I'm forced with a binary decision between the two and it simply does not scale. And as I add more and more datasets and put data to more and more uses, I have the risk that data can be improperly used and re-identified.

[47:16] Whereas on the right hand side, you're implementing data protection by design and by default and Pseudonymisation. And so, different data elements are protected at sometimes and not other times and they're revealed only when appropriate. This is data minimization as embodied within the EU, not only the GDPR but even prior to that. Data minimization and lawful use is key. Why reveal more data than you have to for permitted authorized use? So, data protection by design and by default literally stands to the fact that by default you protect data and then you unprotect it only as necessary to enable and support an authorized use that balances the interest between the data controller and the data subject as necessary to satisfy legitimate interest and other rights under the GDPR. And so, there is a way to do this in a way that's privacy preserving, protective, and acknowledging the innovation that 5G and new technologies make possible.
Anonos BigPrivacy is The New State of the Art
[48:19] So, on the very last slide and we're limited here to one promotional slide, but that is exactly what Anonos and our BigPrivacy technology does and what we're here to talk to you about today with Alison and with IEEE is that 5G opens up new opportunities for data use, but it has to be done in a privacy preserving way. It is possible. The GDPR anticipates that, supports it, and encourages it. So, the capabilities and opportunities that 5G makes available can be fully utilized. You just have to do things differently and embrace the data stewardship best practices that the GDPR provides. So, with that, we will open it to questions. We appreciate your time and your questions.
Peggy Matson (Washington University)
[49:03] Gary and Alison, that was fabulous. Thank you. Okay. Heading off to questions. So, the first one: “Great discussion of GDPR and the Pseudonymisation technology underneath. Talk to us a little bit about the US environment.” And we have folks on the WebEx here from around the world. But we've got one question from the US. Put your questions in please for others. We don't have the equivalent in the US today. But what do you foresee happening in the US regulatory?
Gary LaFever (Anonos)
[49:36] I'll take a shot at that. And then, I’m very interested to get Alison's perspective. There's a couple of things, and the first thing to realize is the GDPR is extraterritorial in scope. What I mean by that is it's not dependent on a company having operations in the EU. In fact, if data is processed related to an EU resident and by that I mean someone that at the time of the processing is in the EU, so it actually could be a US citizen that at the time of the processing is in the EU and that processing involves data related to that person's activities in the EU, your subject also. So, most companies actually will be subject to the GDPR if people are even going to their website from the EU and accessing and processing information about them as part of the process. Secondly, any data related to a single EU resident can bring a company within the purview of the GDPR. So, a lot of the companies that we work with which tend to be very large financial institutions or medical organizations, they deal with expats - US citizens who are overseas. So, the first thing you just have to realize is that GDPR is very pervasive in its scope and jurisdiction.

[50:48] Secondly, we have already seen that the GDPR is being embraced by global companies as the standard and it's very difficult and expensive for them to have different approaches to data protection and different jurisdictions. So, they're embracing it globally. And lastly, issues like the recent Facebook-Cambridge Analytica issue have raised the specter that even something is not illegal per se that the public outcry from misuse of information where too much of identifiability was provided is pretty compelling. So, in summary, the GDPR is something not to be ignored. It's actually to be embraced whether the government in the US will move to a GDPR type protective scheme, I can't predict. I actually think it will, but it will take time. And I think it will be the industry itself who moves that direction to show that it's a best practice because data is international in scope and it doesn't know jurisdictions. But Alison, please, I'd love to get your perspective.
Dr Alison Knight PhD (University of Southampton)
[51:48] Yeah, it's a really interesting question as you say. I would refer to the 2014 White House Podesta report, which is actually called big data but it's extracting value and protecting rights. So, effectively, this is recognizing the whole creative potential of big data and saying: “How do we protect rights?” And I've heard a great speaker called Daniel Wiser, who was a White House Adviser on privacy, and his mission about technology by design as an embedding in privacy protection into the very use flows. So, I really see that coming from obviously a different legislative set of rules but I actually see as Gary said that it's going to coalesce with our own unique way for Europeans, a very particular way and things are different in the US, but actually, I think they're going to go with this. And this is underpinned as well, as Gary mentioned, the GDPR is the gold standard that has this international impact everywhere - Australia, Canada, they're all based on this principles based system.

[52:57] And now, if you look at the rules in the Privacy Shield. So, this is the big adequacy decision that applies between the EU when there was flowing of data between the EU and the US. They are principles based as well. And so, I can only see that people are suddenly going to tweak that we can achieve the same compliance. It's all about compliance and demonstrating accountability and auditing in the same way that we look at our accounts. This is the way things are going. Data ethics and showing to people that you're doing things right. This is a great reputational. It’s about getting trust with your customers and it goes beyond even GDPR. It just makes sense in terms of the right data management and producing that data management report and putting into your corporate social responsibility. This is the future and how more important that is when moving into the world of 5G which is so exciting in the Internet of Things. But you know, if you get it wrong, you're going to end up in a problem. So, yeah, I remain very optimistic about the future.
Peggy Matson (Washington University)
[54:14] Good. Thank you. In the few minutes we have left, let's talk a little bit about the technology. So, Pseudonymisation, what's the level of deployment in the market today?
Gary LaFever (Anonos)
[54:25] Yes, so the level of deployment of Pseudonymisation today is for the most part in offline historical analysis because it's the easiest to implement. So, if you think about it, the way that we talk to customers is if your data use is legal, keep it the way it is. And so, we call that the transaction lane. Why people gave you data was for the transaction that they had in mind. Typically, contract and consent. When you step out of the transaction lane is when you start to do profiling or anticipatory analysis or general statistical analysis. That was not the reason that data was initially collected. And so, the ability to use that data for analytics purposes and for predictive purposes that's outside of what again we refer to as the transaction lane, that's a very easily and readily implemented implementation of Pseudonymisation.

[55:18] The more advanced forms of Pseudonymisation are currently being pursued but they're less evident. And that is as I go forward and I actually put it into the internal workings of my existing operations. So, the easiest implementation is making a distinction between that data that was collected for a transaction and is used to support the transaction versus that data that's being used for general analytics in question. And so, the reality is, those both are very key and it comes again. “Do you even have the legal right, so that you can make use of the data?” And one of the biggest issues again is most data use has historically been through broad based consent. That's the biggest shock to people. At midnight on May 24th, data that was collected in the past legally and used in the past legally based on broad based consent may actually be illegal to possess or process on May 25th going forward.
Peggy Matson (Washington University)
[56:20] So, give me an example of broad based consent. Get really clear on broad based consent.
Gary LaFever (Anonos)
[56:23] Yup. So, how many of us? It's all of us have clicked on an “I agree” when you sign on to a website or when you downloaded an application, and it's pages and pages of terms and conditions written in legalese that none of us read, but you can't go forward, you can't download the software, and you can't use the service without saying “I agree.” That's broad based consent. The reality is what the GDPR insists upon is that the data subject was in the position to clearly without ambiguity specifically understand everything you told them you were going to do and acknowledge and agree to it and that their use of the service or product wasn't conditioned on the agreement. Because if you condition the agreement to terms it’s not actually consensual. And so, what is used across the board today as the fundamental legal basis for data processing now needs to be turned on its head that it's only what you can describe to me at the point in time with specificity that I can even legally consent to. Other than that, it's not an effective legal basis.
Peggy Matson (Washington University)
[57:23] Yeah. Well said. I know in the IEEE and I'm a volunteer for IEEE but I worked with some folks that are full time and there’s a lot of activity to be compliant with GDPR. It’s quite a game changer.
5G and GDPR Just Because You Can Capture Data Does Not Mean You Can Use It
[57:41] This is fabulous. We could talk for another hour or three hours, but we are at the end of our allotted time. Thank you, Alison and Gary. Thanks to everyone on the call for joining us today. So, a couple of reminders. We will continue to hold one webinar per month. Our next webinar is June 19th. And again, we're blessed with two speakers both from Nokia. One is more business oriented. He runs the small cell business. It's really the only US-based business for Nokia. And the other is more academic but research oriented inside Nokia. So, I love this dual role. And they’re going to talk about the role of small cells in 5G. So, be sure to refer to our web portal that's www.5GIEEE.org for any updates to register for future webinars. So, you’ll do a couple of clicks to get through education and to our webinars.

[58:37] To get on the email list so that you automatically and again this is GDPR. So, you have to join the technical community and you’ll see a button on that web portal up at the right hand side. And when you join the technical community and only when you join the technical community will you now get emails. You used to get it if you joined a webinar, etc. But exactly for this reason with the advent of GDPR, you have to join the technical community to get an email list for future webinars.

[59:06] A reminder to fill out the short survey as soon as this WebEx ends. A new window is going to pop up. I put this text in the Q & A because someone asked. It will immediately pop up. It's a 5-minute survey. We only do it so that we can get your feedback and continue our high quality series of webinars for free. It’s a 5-minute exercise. Once you complete the survey, you'll immediately get another popup window with a link to the PDF of slides. So, that's a great value. It’s just a survey. As with prior webinars, only the PDFs from the most recent webinar are available at a limited time and then as long as you registered you'll have access to a video recording within usually a couple days to a week's time - a video with the audio of this session. So, thank you all for joining us. Thank you again for our lovely speakers, Alison and Gary, and please have a good rest of your day!