15:10 [Slide 2]
Francois Zimmerman:
Before we close, what I'd like to do is go back to the big three questions at the beginning of this talk and get Gary to apply the legal and technical concepts to these specific business challenges. The first one was (1) I am running a bunch of big data projects and they've been canceled because I no longer have access to the data. What would you do?
Gary LaFever:
Great question, Francois. The good news is, big data projects don't have to be put on hold as a result of the GDPR. First off, historical data can actually be transformed by leveraging Pseudonymisation and Data Protection by Design and by Default to support analytics and AI on the alternate legal basis of legitimate interest. What this means is data that was collected prior to May 25th, that was collected using now illegal broad-based consent, can still be transformed to be compliant and used on a going forward basis. Data that's collected after May 25th can also be used for analytics and AI. All that is required is that customers are put on notice at the time of initial data collection that the data will be processed for these purposes based on the legal basis of legitimate interest. Again, that does require that new technical safeguards are put in place that satisfy a balancing of interest for legitimate interest to serve as a legal basis. Pseudonymisation and Data Protection by Design and by Default allow this to occur.
Francois Zimmerman:
The second question is (2) I'm running a global bank. I have a lot of subsidiaries in countries with very challenging and hostile data sovereignty, privacy legislation. How do I overcome this? How do I aggregate data out of those countries up into my global data lake so that I can get a global business view?
Gary LaFever:
Another excellent question Francois, and again very similar with regard to the first one, related to big data projects. You can use the same techniques of Pseudonymisation and Data Protection by Design and by Default to facilitate cross border data transformation, use, and consolidation, and you do that by creating derivative versions of the identifying data that impart the necessary information value, but not the means of re-identification. These non-identifying, information-rich data are much easier to get approved by in-country regulators to use outside of the country. It's important to note that the resulting analysis that has occurred using the non-identifying data can be brought back into the country before you relink to the identifying data - which again never left the country. By doing this under controlled conditions for authorized purposes only, the regulators get greater comfort. The company, the firm, the organization gets the benefit of sharing the data, consolidating the data, and processing the data, out of the country and then bringing it back to re-identify or re-link it only within the country. So again, Pseudonymisation and Data Protection by Design and by Default can be used to satisfy cross border data processing and sovereignty issues.
Francois Zimmerman:
So, the final question was, (3) I'm running a bank and I'd like to use FinTechs to enable innovation. How do I send the data out to them without compromising customer privacy and frankly without enabling them to steal my customers?Then how do I plug that data back into my pipeline so that I can continue with my business processing?
Gary LaFever:
Very timely question. This is all possible so long as dynamic de-identification techniques like Pseudonymisation and Data Protection by Design and by Default are used in this processing. As a result, derivative versions of the identifying data are created which impart the necessary information value necessary for the FinTech company to do the processing, but it is processing non-identifying data. That non-identifying- but information-rich - data can then be provided for outsourced processingby the FinTech or exchanged with a partner, and only within the confines, construct and security of the original data controller will it be relinked to identifying data. So again, you can leverage the capabilities of FinTechs and other partners with privacy, respectful analytics and AI using Pseudonymisation and Data Protection by Design and by Default.
Francois Zimmerman:
Before we close, where can people go to find more information about this?