• Follow us

Internet

Bringing down the house - The risky choice of using in-house anonymisation

As the first anniversary of the application of the GDPR approaches, one hopes that organisations have become aware of their responsibilities as controllers of personal data. 

One critical area is the difficulty of carrying out anonymisation in-house which supervisory authorities have frequently stated falls short of the high threshold for anonymisation set by the European Data Protection Board.

In large enterprises, where data-driven insights inform business strategy, data controllers will often take on the responsibility for de-identifying their customer data with the aim of using the datasets for analytics unconstrained by the requirements of GDPR and other data protection laws.

The intent to preserve privacy is admirable, however the execution is frequently inadequate and, as such, those organisations may leave themselves exposed to regulatory action, fines and perhaps most crucially, reputational damage leading to a customer base that has lost trust and faith that the company treats them as valued customers, not as products.

The key concept to appreciate is that anonymised data falls outside the scope of “personal data” as defined in the GDPR.  So by anonymising customer datasets organisations can conduct analytics and not be constrained by data protection principles, such as limits on data collection, retention, purpose-based consent, the right to withdraw consent at any time and so on.

The difficulty with in-house anonymisation arises because internal processes are frequently flawed and organisations are not aware of the high standard of anonymisation that both the GDPR and the national supervisory authorities expect in order for personal data to be considered legally anonymised.

In order to establish if the level of anonymity is adequate, organisations need to objectively demonstrate that they have taken into account “all means reasonably likely” to be used by the controller or a third party to identify someone, directly or indirectly. This is a high threshold and difficult to achieve.

The risk of re-identification must be at an insignificant level, otherwise the process will be considered to have failed to anonymise the data and that organisation’s compliance failure is potentially extensive given the large number of data subjects whose personal data is in that case being processed unlawfully.

Pitfalls of in-house processes

The key problem with anonymisation that is conducted in-house is that the original data set is still retained by that organisation. Direct and indirect identifiers might be removed from ‘Customer Dataset A’ to create ‘Anonymised Dataset B’, however a dataset will be unlikely to be considered anonymised where a controller retains both the source data and the modified data. This is because when the original dataset in the hands of the organisation results in that company having the means to re-identify an individual in, or the entirety of, the dataset. 

On this, the Irish Data Protection Commission has explicitly stated in its guidance on “Anonymisation and Pseudonymisation” that “[i]f the source data is not deleted at the time of the anonymisation, the data controller who retains both the source data and anonymised data will normally be in a position to identify individuals from the anonymised data. In such cases, the anonymised data must still be considered to be personal data while in the hands of the data controller, unless the anonymisation process would prevent the singling out of an individual data subject, even to someone in possession of the source data”. The latter standard is both mathematically exceptionally difficult and almost impossible if any reasonable utility in the data is to be retained for analytics.

Neither is outsourcing analytics or anonymisation to a third party processor necessarily the solution. WP29 Opinion stated that where a data controller hands over part of a dataset without deleting the original identifiable data at event level, the resulting data set is still personal data and such data “would still qualify as personal data for any party, as long as the data controller (or any other party) still has access to the original raw data”. In any event the potential risk of re-identification remains when the analysed data is returned to the original controller unless consideration is taken of the re-identification risk in the analytic output. There is therefore a significant risk that in-house anonymisation or anonymisation conducted by a third party, where the company retains the original dataset, does not constitute adequate anonymisation within the terms of the GDPR or in the expectations of the supervisory authorities. 

Exposure to legal risks

While GDPR has certainly forced data controllers to raise their game in terms of data stewardship, there is still much work to be done by many organisations to meet the GDPR compliance requirements.  This is particularly the case in terms of organisations approach to achieving anonymisation.  There seems to be a lowest common denominator approach to a very technical and complex problem. Controllers have in the past relied on removing simple identifiers and were of the view that this would achieve anonymisation. It does not. 

Failure to successfully anonymise is not theoretical. There has been considerable coverage of high-profile examples such as the Massachusetts Group Insurance dataset, the Netflix Prize dataset and the AOL dataset, however it has also featured in European supervisory authority investigations. Investigating the personal data processing of Microsoft’s Windows 10, the Dutch Data Protection Authority concluded in 2017 that Microsoft did not clearly inform users about the type of data it used and for which purpose. It found that the data subject to aggregated analysis was not anonymous as Microsoft retained identifiable personal data in its cloud storage.

Inadequate anonymisation is a GDPR compliance “accident” waiting to happen for the many data controllers who think they have nullified customer consent requirements by deploying with anonymisation techniques.  The technical and organisational nuances to achieving the high threshold for anonymisation appear to be ignored. A failure to raise standards in accordance with the change in the law means supervisory authorities will start looking closer and investigations and regulatory action will inevitably follow.

André Thompson, privacy and ethics counsel, TrūataImage Credit: IT Pro Portal

Read More



Leave A Comment

More News

Latest ITProPortal news

Best web hosting services for 2019 New! 2019-05-22 14:45:26If you are confused about website hosting, then this is the place to start your search

What is Big Data? Everything you need to New! 2019-05-22 09:20:51Big Data: What’s New  10/05 - FEATURE - Lisa Andreou/Acxiom - Banking on big data - The importance of big data keeps growing, but how can r

EE reveals launch of UK 5G for businesses New! 2019-05-22 08:00:40Six cities, five devices and multiple plans for starters.

Nokia CEO says Huawei ban could help its New! 2019-05-22 07:30:37Block on Huawei tech could be good for its rivals and former partners.

Tech is playing a key role in building New! 2019-05-22 07:00:40Most companies aren't ready for the workplace of the future.

From the Nigerian prince to London Blue – New! 2019-05-22 07:00:27Agari recently conducted a deep research campaign into a particularly prolific Nigerian gang we have dubbed London Blue.

Ransomware vs. SMBs – who will prevail in New! 2019-05-22 06:30:14What are the key steps SMBs should go through to increase their cybersecurity with regards to ransomware?

Kaspersky warns of major rise in DDoS attacks New! 2019-05-22 06:30:11Hour-long DDoS attacks have surged almost 500 per cent.

How FinOps can help you manage your cloud New! 2019-05-22 06:00:54IT Pro Portal Q&A with J.R Storment, Co-Founder, Cloudability.

Three key takeaways from the 2019 Verizon Data New! 2019-05-22 06:00:51XMCyber's Menachem Shafran helps you take advantage of the 2019 Verizon Data Breach Investigations Report.

Microsoft calls for a US GDPR New! 2019-05-22 06:00:20Tech giant promotes need for federal data legislation.

Disruptive leadership in the era of digital transformation New! 2019-05-22 05:30:28If you’re not experimenting, you’re falling behind.

TechRadar: Internet news

The best 2-in-1 laptop 2019: find the best 2019-05-21 18:58:42Alongside the impressive HP Spectre x360 15T (2019), these are the best 2-in-1 laptops around.

Vizio’s budget V-Series will offer 4K and Dolby 2019-05-21 18:17:56Vizio’s stacked 2019 TV lineup includes a 3,000-nit TV and several ultra-budget Dolby Vision screens.

Apple now accepts 2018 MacBooks into its keyboard 2019-05-21 18:15:13Apple has expanded its keyboard repair program to cover all MacBooks with Butterfly keyboards.

Digital transformation could be causing security risk 2019-05-21 17:50:32A new report from Thales and IDC has shed light on a growing security gap among European businesses.

Google Pixelbook 2: what we want to see 2019-05-21 17:40:10Here’s everything we want to see from the Google Pixelbook 2

The best student laptops: all the best options 2019-05-21 17:07:31The best laptops for college students – everything from Chromebooks to the new Dell XPS 13.

Sharks vs Blues NHL live stream: how to 2019-05-21 17:03:33Who will get a shot at the Stanley Cup? We’ll show you how to live stream the NHL San Jose Sharks vs St. Louis Blues action from anywhere.

Why you should care about the 2019 VW 2019-05-21 16:04:13Far from taking control out of your hands, smart optimization could make tomorrow's cars a joy to drive.

DDoS attacks soar after long period of decline 2019-05-21 15:33:47New research from Kaspersky Lab has revealed that new DdoS-for-Hire websites have reignited cybercriminals' interest in DDoS attacks.

Honor 20 vs Honor 10 2019-05-21 15:26:42The Honor 20 is the brand's latest affordable flagship, but how different is it really to the Honor 10?

Huawei Android ban: Time for Honor to rise 2019-05-21 15:02:51Honor might be Huawei's secret weapon

Opera jumps into gaming with Opera GX browser 2019-05-21 14:59:15Opera has announced an upcoming 'gaming' browser called Opera GX, but specified no features.

TechCrunch » Enterprise

Robin picks up $20 million Series B to 2019-05-20 08:37:24Robin Powered, a startup looking to help offices run better, has today announced the close of a $20 million Series B funding. The round was led by Tol

Wagestream closes $51M Series A to plug the 2019-05-20 08:35:08Getting your work wages on a monthly (not weekly nor biweekly) basis has become a more widespread trend as the price of running payrolls has gone up,

Under the hood on Zoom’s IPO, with founder 2019-05-17 14:00:22Extra Crunch offers members the opportunity to tune into conference calls led and moderated by the TechCrunch writers you read every day. This week, T

HPE is buying Cray for $1.3 billion 2019-05-17 09:50:35HPE announced it was buying Cray for $1.3 billion, giving it access to the company’s high-performance computing portfolio, and perhaps a foothol

Health at Scale lands $16M Series A to 2019-05-17 09:00:53Health at Scale, a startup with founders who have both medical and engineering expertise, wants to bring machine learning to bear on healthcare treatm

Unveiling its latest cohort, Alchemist announces $4 million 2019-05-16 11:30:08The enterprise software and services-focused accelerator Alchemist has raised $4 million in fresh financing from investors BASF and the Qatar Developm

SugarCRM moves into marketing automation with Salesfusion acquisition 2019-05-16 10:06:35SugarCRM announced today that it has acquired Atlanta-based Salesfusion to help build out the marketing automation side of its business. The deal clos

OpenFin raises $17 million for its OS for 2019-05-16 09:01:51OpenFin, the company looking to provide the operating system for the financial services industry, has raised $17 million in funding through a Series C

VMware acquires Bitnami to deliver packaged applications anywhere 2019-05-15 12:52:01VMware announced today that it’s acquiring Bitnami, the package application company that was a member of the Y Combinator Winter 2013 class. The

Tealium, a big data platform for structuring disparate 2019-05-15 11:11:57The average enterprise today uses about 90 different software packages, with between 30-40 of them touching customers directly or indirectly. The data

Solo.io wants to bring order to service meshes 2019-05-15 11:05:07As containers and microservices have proliferated, a new kind of tool called the service mesh has developed to help manage and understand interactions

Egnyte brings native G Suite file support to 2019-05-15 09:10:55Egnyte announced today that customers can now store G Suite files inside its storage, security and governance platform. This builds on the support the


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.