Analytics and GDPR compliance: How to achieve it

The recent fines for failure to comply correctly with General Data Protection Regulation (GDPR) highlight the difficulties organisations face in retention of customer data.

But, meanwhile, the ability to derive value from that data drives projects in many businesses. 

So, how do organisations ensure they comply with the requirements of GDPR aimed at protecting customer privacy, while also ensuring the data they have collected can be a source of valuable information?

The key lies in pseudonymisation, says CEO of Vigitrust, Mathieu Gorge, in conversation with Computer Weekly storage editor Antony Adshead.

Subjects covered include how to automate data controls to ensure compliance while also achieving the ability to gain value from retained data.

Antony Adshead: Why should organisations keep an eye on new data management and storage technologies?

Mathieu Gorge: At the moment we’re seeing a lot of activity with regard to fines being by various regulators. We’ve seen fines against Facebook, against Google, and more recently, against Marriott and BA, all relating to GDPR and handling of data.

One of the other fines that didn’t really make a lot of noise, so to speak, was the one against UniCredit where the Romanian data protection authority issued a fine of just over £100,000 for “shortcomings for protecting data in a digital world” and “lack of digitally enforced controls”.

From that perspective, the data protection authority in Romania was essentially saying that the concept of manually relying on individuals to police controls around data were not good enough.

I think the reasoning behind looking at new technologies is to look at the concept, how do we build the process to automate those controls around data and how do we make that part of the DNA of the GDPR compliance strategy? Therefore also, what kind of technologies do we need to look at to demonstrate we have taken appropriate security measures to protect the data?

Adshead: Can we focus on data identification and data obfuscation technologies in storage and compliance [to achieve automated control of data for compliance]?

Gorge: So, let’s assume you’ve mapped out all of the data that needs to be protected. The traditional way of looking at reducing your scope [to risk] would be to tokenise data or use key-coding techniques.

One of the issues with that, though, is that the current key-coding and tokenisation techniques do not support the requirements for GDPR compliance – pseudonymisation – and what we mean by that is that there are key direct and indirect data identifiers for every type of data, whether structured or unstructured.

The key question from a GDPR perspective is if can you reverse engineer the data based on a set of direct and indirect data identifiers. And if so, is it still GDPR compliant?

That’s where new technologies like pseudonymisation come in. New digitally enforced safeguards that use that technology allow you to technically enforce legitimate interest controls that enable data controllers and data processors to maximise the data value that they have from the data while remaining GDPR-compliant.

What that essentially means is you can reduce the risk of liability and notification obligation if you have a data breach. You can support legal secondary processing and repurposing of the data.

Remember, under GDPR, you can only get the data for one specific purpose and if you want it for a second purpose you need to ask for permission or at least to show you have a legitimate interest to do that.

And so you can also support new data sharing business models such as international transfer of data and that allows you to improve predictability, scalability and timeliness of processing.

What you’re doing with the pseudonymisation of the data is you essentially look at all the direct and indirect data identifiers. You kind of build on, get to the next generation of tokenisation and key-coding techniques and that allows you to store the data in a compliant way to make sure you’ve got an audit trail for data usage and therefore to look at further innovation in the way you can use the data for new purposes and to open new commercial opportunities.

We’re seeing a number of new vendors in the industry that are trying to get their clients to maximise on data especially for a secondary local purpose. One of the suppliers I recommend you look at, because they have some very good white papers on the topic is Anonos.

My guess would be that, especially in the payment card industry (PCI) world and in the protected health information world, you’re going to see pseudonymisation becoming a mainstream technology over the next two to three years.