Why compliance doesn’t have to stifle innovation

The increasing value of data has led to an upsurge in demands for corresponding data regulation.

The EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are two notable examples of the legislation that have now been implemented to regulate the access to, and use of, personal data. In the case of the GDPR specifically, there are mandatory requirements for Data Protection by Design and by Default.

Fines in excess of 110 million Euros have been issued under the GDPR since May 2018. In addition, several times that amount in fines are expected under investigations underway but not yet finalised (e.g. the UK regulator alone has threatened more than 300 million Euros in additional fines).

However, while conversations around compliance in light of these reports are inevitably re-opened for discussion, not enough focus or attention is being given to the difficult yet crucial question of how companies and organisations can derive maximum value from data for secondary uses, while also complying with legal requirements and ethical expectations.

Compliance is an essential and unavoidable prerequisite to the development and use of new technologies such as big data analytics, artificial intelligence (AI) and machine learning.

While it would be easy to assume that the large fines enforced by data protection authorities for inadequacies in data protection and privacy law compliance could act as a deterrent for the development of these technologies, the reality is that this is not the case.

Demand for tools that aid in the ethical and lawful use of data for secondary processing is unquestionably there, and more must be done to educate businesses that these tools do in fact already exist. Otherwise, we are at risk of stifling innovation moving forward.

Before the implementation of regulations such as the GDPR, there was little awareness among data subjects of who was collecting information about them. Now, failure to comply may result in punishments for data collectors and processors, but these punishments have failed to eliminate the associated risks for data subjects.

Governments and corporations alike have repeatedly misunderstood guidance within the GDPR that seeks to stop data subjects being positively identified and keep their data safe while in use. As a result, data tends to fall into one of the following categories: protected but not usable, usable but not protected, or protected and usable with low data utility which is limited to centralised use-none of which aid in the effort to encourage innovation.

One term in the GDPR that is at the core of this debate is Pseudonymisation, which has been legally defined at the EU level for the first time in the GDPR, with a heightened standard relative to past practice.

Pseudonymisation is repeatedly mentioned as not only a recommended safeguard, but also explicitly linked to express statutory benefits enabling greater data use in more than a dozen places.

For example, GDPR Article 25(1) identifies Pseudonymisation as an “appropriate technical and organisational measure” while Article 25(2) requires controllers to “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”

The AdTech industry, which was recently forecasted to lose $32-$39 billion in ad revenue due to the elimination of digital marketing personalisation, is just one example of the many industries that could benefit from embracing and adopting GDPR-compliant Pseudonymisation technologies.

Indeed, demand for new approaches to compliance in AdTech is rising, with increasing developments around regulations. This is in response to a growing understanding of the dangers faced by data subjects when they are not properly protected.

While recent proposals by the Interactive Advertising Bureau (IAB) and Google have been designed to improve the AdTech ecosystem (and are both improvements over the current lie of the land) neither, at least not in their current forms, comply with the mandatory requirements within the GDPR for Data Protection by Design and by Default.

These proposals rely on techniques using static or persistent tokens to replace repeated occurrences of identifiers within and across datasets, which leaves the data and its owners exposed to unauthorised re-identification via the ‘Mosaic Effect’. Adoption of Pseudonymisation capabilities as a complement to either or to both of the IAB and Google approaches would enforce technical controls to limit such re-identification possibilities, enabling the AdTech ecosystem to flourish under ever-evolving data protection laws.

In essence, GDPR-compliant Pseudonymisation enables the achievement of ‘Aristotle’s Golden Mean’. This is the proposition that you can have an excess of behaviour at one end of a spectrum and a deficiency of behaviour at the other end, but located somewhere in the middle is a perfectly balanced behaviour.

An educational programme on the meaning and benefits of Pseudonymisation as newly defined within the GDPR, plus greater awareness of the tools that facilitate ethical and lawful processing of data for secondary use is needed to move the conversation beyond that of compliance, and beyond the penalties for failure to do so.

By Gary LaFever, CEO & General Council, Anonos

Anonos enables lawful analytics, AI & ML that preserve 100% of data accuracy while expanding opportunities to ethically share & combine data. Anonos Pseudonymisation & Data Protection by Design & by Default technology enables the use of Legitimate Interests to lawfully process, combine and share personal data while protecting the rights of individuals & achieving business objectives.

Anonos patented Variant Twins® enable sharing, enrichment, analysis, and relinking of personal data by technologically enforcing dynamic, fine-grained privacy, security & data protection policies in compliance with the GDPR, CCPA and other evolving data privacy regulations. Learn more at anonos.com and https://www.pseudonymisation.com.

This article originally appeared in GRC World Forums.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.