World Economic Forum Highlights Benefits of GDPR Pseudonymisation for Fourth Industrial Revolution (4IR)

The World Economic Forum highlights the benefits of GDPR Pseudonymisation for transforming global economies. Individuals and organisations benefit from advanced data protection that technically controls analytics, artificial intelligence (AI) and machine learning (ML) that increasingly blur our physical, digital, and biological data-driven worlds. This phenomenon, known as the Fourth Industrial Revolution (4IR), is the force behind many data-driven products and services quickly becoming indispensable to modern life.

Trust and confidence that 4IR data protection technologies enforce rights-preserving, ethical and secure controls increase participation and benefits from the data-driven economy like those embodied in the World Economic Forum’s Data for a Common Purpose Initiative.

4IR data protection technologies functionally separate information value - the desired insights from data processing - from the identity of individuals about whom the data pertains. This controls the gradation of the types of data processed, allowing everything from no data to a lot of data, any volume or level of identifiability of data.

GDPR Pseudonymisation: 4IR Data Protection Technology

The GDPR enforces the concept of functionally separating information value from identity in the GDPR's redefined requirements for Pseudonymisation. The heightened requirements for Pseudonymisation under the GDPR mandate a new outcome-based “state” of data that:

• Protects direct, indirect, and quasi-identifiers, together with characteristics and behaviours;
• Protects at the record and data set level versus only the field level so that the protection travels wherever the data goes, including when it is in use; and
• Protects against unauthorised re-identification by generating high entropy (uncertainty) levels by dynamically assigning different tokens at different times for various purposes.

GDPR Pseudonymisation enforces state-of-the-art 4IR data protection by preventing the re-identification of individuals without the use of additional information kept separately to ensure that data is “anonymous” (in the strictest sense of the word on a global basis) “but for” the additional information which is held separately and made available only under controlled conditions for authorised purposes.

EDPB and EU Commission Highlight GDPR Pseudonymisation as State-of-the-art Schrems II Compliance

• Why did the European Data Protection Board (EDPP) increase the number of references to GDPR Pseudonymisation from 7 times in their preliminary Schrems II guidance to 12 in the final Schrems II guidance?
• Why does the European Commission repeatedly highlight Pseudonymisation for Schrems II compliance generally, and specifically for completing Annex II to the final Standard Contractual Clauses?
• Why? The EDPB Final Guidance and the Commission’s Final SCCs highlight GDPR Pseudonymisation as state-of-the-art Schrems II compliance because GDPR Pseudonymisation is “legally necessary” when it is less intrusive, more effective, and more privacy respectful than the following alternative data protection techniques.

See Infographic below and read the Italian university dissertation on the subject at SchremsII.com/Epilogue.

GDPR Pseudonymisation Protects Data When in Use

The importance of GDPR Pseudonymisation for protecting data when in use is highlighted in the quotes, including by the Luxembourg data protection authority (CNPD) currently assessing the US $887 million (746 million Euro) fine against Amazon, when announcing the certification of Anonos GDPR Pseudonymisation Technology.

As highlighted in this ZDNet article about the CNPD fine, new corrective measures, like GDPR Pseudonymisation, that protect data when in use are now necessary for desired data processing to be legal.

Business Practices Must Change

The $887 million (746 million Euro) penalty against Amazon is just the start. The decision by the CNPD requires "corresponding practice revisions" in data processing practices. Technical measures are required to support non-consent-based processing for advertising and other secondary “repurposing” of data for uses beyond the purpose for which it was originally provided. This includes all advanced analytics, ML and AI.

Scope of Consent is Limited

The scope of lawful consent is limited under the GDPR – it is not possible to describe in advance at the time of data capture all potential future processing in sufficient detail so that data subjects can understand what they are consenting to. As a result, “consent” is not available as a legal basis for many complex processes under the GDPR. The GDPR provides alternative legal bases which may be more appropriate for advanced analytics, ML and AI but these require additional technical and organizational safeguards to reduce the risk of data misuse or abuse to the detriment of data subjects.

Privacy vs Security

GDPR requirements for protecting data when in use are less about keeping “bad guys” (attackers) away from the data (as is the case in data breaches – “security”) and emphasize putting controls in place so that even “good guys” (authorized parties – “privacy”) are technically limited in what they can do with the data to reduce the risks to data subjects.

Wider Applicability

The data processing practices at the heart of the ZDNet article, which encompass secondary “repurposing” of data for uses beyond the purpose for which the data was originally provided, are shared among Google (Alphabet), Apple, Facebook, Amazon, and Microsoft, referred to in the article as “GAFAM” – an acronym for these five U.S. tech companies. These same issues are the focus of separate Privacy International complaints against Acxiom and Oracle (data brokers), Equifax and Experian (credit reference agencies), and Criteo, Quantcast and Tapad (ad-tech companies).

Transformation of Practices Required

The wide-spread need for transformation of business practises is highlighted by these quotes in the ZDNet article from privacy expert @CillianKieran:

“There was symbolic value to the fine issued against Amazon but echoed what La Quadrature du Net said about the need to transform the way companies deal with personal data.”

“The expectation that privacy is now 'table stakes' for business operations in Europe.”

"Transformation of the underlying problem -- the data practices -- is what's necessary: compelling the organizations to correct their practices, better respect users' data, and face enforced penalties for non-compliance.”

"The fine makes the headlines, and it is significant whether it comes to fruition. But for a company as well-resourced as Amazon, systemic changes to how they treat individuals' data will be more consequential in the long term."

Anonos Variant Twins: State-of-the-Art GDPR Pseudonymisation

Anonos state-of-the-art GDPR Pseudonymisation software enables the responsible exchange and use of data to help solve critical challenges and fuel innovation for society. GDPR Pseudonymisation-enabled Anonos Variant Twins support Schrems II compliance as well as the global sharing and processing of controllably re-linkable non-identifying personalised data to help unlock the commercial and societal value of data.

Fourth Industrial Revolution (4IR) Anonos Variant Twin software enforces use case-specific controls that protect data when in use to deliver:

• Embedded trust in data flows
• Re-linkable non-identifying personalized data

Gartner Group recognises Anonos as a Gartner Cool Vendor because patented “Variant Twins” create controllably re-linkable yet non-identifiable data sets from personalised data. This enables Schrems II compliant dynamic data sharing, combining analytics, AI and ML with no degradation in accuracy or speed of processing compared to cleartext data.

>>If you have any questions, please contact me via LinkedIn.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS