• Follow us

Internet

Bringing down the house - The risky choice of using in-house anonymisation

As the first anniversary of the application of the GDPR approaches, one hopes that organisations have become aware of their responsibilities as controllers of personal data. 

One critical area is the difficulty of carrying out anonymisation in-house which supervisory authorities have frequently stated falls short of the high threshold for anonymisation set by the European Data Protection Board.

In large enterprises, where data-driven insights inform business strategy, data controllers will often take on the responsibility for de-identifying their customer data with the aim of using the datasets for analytics unconstrained by the requirements of GDPR and other data protection laws.

The intent to preserve privacy is admirable, however the execution is frequently inadequate and, as such, those organisations may leave themselves exposed to regulatory action, fines and perhaps most crucially, reputational damage leading to a customer base that has lost trust and faith that the company treats them as valued customers, not as products.

The key concept to appreciate is that anonymised data falls outside the scope of “personal data” as defined in the GDPR.  So by anonymising customer datasets organisations can conduct analytics and not be constrained by data protection principles, such as limits on data collection, retention, purpose-based consent, the right to withdraw consent at any time and so on.

The difficulty with in-house anonymisation arises because internal processes are frequently flawed and organisations are not aware of the high standard of anonymisation that both the GDPR and the national supervisory authorities expect in order for personal data to be considered legally anonymised.

In order to establish if the level of anonymity is adequate, organisations need to objectively demonstrate that they have taken into account “all means reasonably likely” to be used by the controller or a third party to identify someone, directly or indirectly. This is a high threshold and difficult to achieve.

The risk of re-identification must be at an insignificant level, otherwise the process will be considered to have failed to anonymise the data and that organisation’s compliance failure is potentially extensive given the large number of data subjects whose personal data is in that case being processed unlawfully.

Pitfalls of in-house processes

The key problem with anonymisation that is conducted in-house is that the original data set is still retained by that organisation. Direct and indirect identifiers might be removed from ‘Customer Dataset A’ to create ‘Anonymised Dataset B’, however a dataset will be unlikely to be considered anonymised where a controller retains both the source data and the modified data. This is because when the original dataset in the hands of the organisation results in that company having the means to re-identify an individual in, or the entirety of, the dataset. 

On this, the Irish Data Protection Commission has explicitly stated in its guidance on “Anonymisation and Pseudonymisation” that “[i]f the source data is not deleted at the time of the anonymisation, the data controller who retains both the source data and anonymised data will normally be in a position to identify individuals from the anonymised data. In such cases, the anonymised data must still be considered to be personal data while in the hands of the data controller, unless the anonymisation process would prevent the singling out of an individual data subject, even to someone in possession of the source data”. The latter standard is both mathematically exceptionally difficult and almost impossible if any reasonable utility in the data is to be retained for analytics.

Neither is outsourcing analytics or anonymisation to a third party processor necessarily the solution. WP29 Opinion stated that where a data controller hands over part of a dataset without deleting the original identifiable data at event level, the resulting data set is still personal data and such data “would still qualify as personal data for any party, as long as the data controller (or any other party) still has access to the original raw data”. In any event the potential risk of re-identification remains when the analysed data is returned to the original controller unless consideration is taken of the re-identification risk in the analytic output. There is therefore a significant risk that in-house anonymisation or anonymisation conducted by a third party, where the company retains the original dataset, does not constitute adequate anonymisation within the terms of the GDPR or in the expectations of the supervisory authorities. 

Exposure to legal risks

While GDPR has certainly forced data controllers to raise their game in terms of data stewardship, there is still much work to be done by many organisations to meet the GDPR compliance requirements.  This is particularly the case in terms of organisations approach to achieving anonymisation.  There seems to be a lowest common denominator approach to a very technical and complex problem. Controllers have in the past relied on removing simple identifiers and were of the view that this would achieve anonymisation. It does not. 

Failure to successfully anonymise is not theoretical. There has been considerable coverage of high-profile examples such as the Massachusetts Group Insurance dataset, the Netflix Prize dataset and the AOL dataset, however it has also featured in European supervisory authority investigations. Investigating the personal data processing of Microsoft’s Windows 10, the Dutch Data Protection Authority concluded in 2017 that Microsoft did not clearly inform users about the type of data it used and for which purpose. It found that the data subject to aggregated analysis was not anonymous as Microsoft retained identifiable personal data in its cloud storage.

Inadequate anonymisation is a GDPR compliance “accident” waiting to happen for the many data controllers who think they have nullified customer consent requirements by deploying with anonymisation techniques.  The technical and organisational nuances to achieving the high threshold for anonymisation appear to be ignored. A failure to raise standards in accordance with the change in the law means supervisory authorities will start looking closer and investigations and regulatory action will inevitably follow.

André Thompson, privacy and ethics counsel, TrūataImage Credit: IT Pro Portal

Read More



Leave A Comment

More News

Latest ITProPortal news

Hotspot Shield review 2019-05-10 10:45:02User-friendly VPN with excellent performance.

Banking on big data 2019-05-10 10:31:05The importance of big data keeps growing, but how can retail banks reap the benefits?

Only a tiny amount of data breaches are 2019-05-10 07:30:47Less than one per cent of reported incidents end up with a monetary penalty.

Getting digital transformation right 2019-05-10 07:00:36Companies that are getting digital transformation right have five characteristics to their success.

Another huge MongoDB database leak uncovered 2019-05-10 07:00:33Millions of Indians have had their personal information leaked.

Digital competency might be letting businesses down 2019-05-10 06:30:58Digital competencies, being skilful with new and emerging digital technologies, is seen as vital to business success.

How the development of AI within telecoms will 2019-05-10 06:30:53Let’s look at the five key ways we’ve identified where I believe AI can add value.

What can policy makers & tech companies do 2019-05-10 06:00:41Small companies have always found it hard to get paid on time from the larger businesses they engage with.

Symantec CEO stands down 2019-05-10 06:00:25Security firm has reportedly started looking for a permanent replacement already.

Danger signs for the CMDB 2019-05-10 05:30:21An accurate configuration management database, or CMDB, is the foundation for functions that contribute to critical business performance.

A hybrid future 2019-05-10 05:00:28The benefits of hybrid and what future cloud adoption looks like.

Bringing down the house - The risky choice 2019-05-10 04:30:29How GDPR impacts data analytics within an organisation.

TechRadar: Internet news

Everything we still want to see in the 2019-05-12 13:00:33There's a lot we know about the OnePlus 7 Pro, but there's even more we've yet to find out.

A lightweight Tinder Lite app is in the 2019-05-12 09:30:01Users in developing nations will soon be able to get a piece of the Tinder fun with a new version of the app.

Rage 2 release date, trailer, news and rumors 2019-05-12 09:08:43With a May 2019 release date, can Bethesda’s sequel fix the original Rage's failings?

Bethesda has big post-release plans for Rage 2 2019-05-12 09:01:00Rage 2 hasn’t been released yet but Bethesda is already outlining plans for the year ahead.

Brighton vs Man City live stream: how to 2019-05-12 08:07:11Can Man City seal the Premier League title on the south coast? See how to watch a Brighton vs Man City live stream wherever you are.

The future of voice recognition: meet your AI-controlled 2019-05-12 08:00:32XMOS is creating a new kind of personal assistant that sits between you and the big companies, putting you in control.

Liverpool vs Wolves live stream: how to watch 2019-05-12 07:39:26Is there another miracle at Anfield brewing? See how to watch a Premier League Liverpool vs Wolves live stream wherever you are.

This exclusive Samsung Note 8 deal is the 2019-05-12 07:15:05This TechRadar exclusive will restore your faith in Samsung. Check out the UK's best Samsung Galaxy Note 8 deal.

F1 live stream: how to watch the 2019 2019-05-12 06:44:19Barcelona's biggest race of the year is here at the Spanish Grand Prix and you can live stream F1 action from anywhere in the world.

HTC is launching a cheaper version of its 2019-05-12 05:30:58HTC remains committed to blockchain smartphones, and it's launching another one sometime later this year.

You get the iPhone, I’ll get the mortgage 2019-05-12 05:00:21Smartphone prices have risen rapidly at the top end. We look at the reasons why, and whether this is likely to continue.

Watch Game of Thrones online: how to stream 2019-05-12 03:44:13Watch Game of Thrones online no matter where you are. Catch up with season 8 - and everything else - as well as where to watch episode 5.

Dev Pro

Windows 10 (20H1) Build Tracker for PCs 2019-05-10 10:10:00We track the history of the development builds released for the 20H1 feature update for Windows 10 which is scheduled for release in the March/April 2

Tech to Developers: The Future's In Machine Learning 2019-05-10 08:16:00Two high-profile developer gatherings this week underscored the tech industry's inexorable push toward AI in everything. Also this week: Just two U.S

Microsoft Developer Conference Shows Where Cloud Opportunity is 2019-05-09 18:08:00Build 2019, the Microsoft developer conference, shows us how influential this audience has become in the battle for enterprise cloud market share.

Nutanix To Offer Secondary Storage 2019-05-09 17:11:00The Nutanix Mine secondary storage appliance uses a scale-out architecture that handles larger workloads via distributed systems.

Microsoft Build 2019: More of the New Microsoft 2019-05-09 14:19:00One of the things that's disappeared during Satya Nadella’s leadership as CEO: the sunk cost fallacy as a business development model. Microsoft

Enabling a Secure Environment Across Campuses 2019-05-09 14:12:00Date: Wednesday, June 05, 2019 Time: 02:00 PM Eastern Daylight Time Duration: 1 hour Today’s IT admins from kindergarten to higher education in

Nutanix Enters the Enterprise Data Backup Market 2019-05-09 10:39:00Unveils backup and DR appliance, launches private-cloud VDI product, plans to expand cloud DR service to Europe and Asia

APM Is Application Performance Monitoring--Isn't It? 2019-05-09 06:21:00APM is hard to define because it means different things to different people. Here's what you need to know.

How Managed DevOps Can Improve Software Tools and 2019-05-08 19:03:00Learn how managed DevOps can take the reins and let developers do what they do best: development.

Red Hat: IBM Ownership Won't Change Open Source 2019-05-08 15:34:00Red Hat and IBM executive leadership used Tuesday's keynote to reassure customers that Red Hat would remain Red Hat.

Infinidat Lays Out Its Storage Vision 2019-05-08 15:06:00Company's focus is on consolidating multiple petabytes of data onto a single platform.

Google's Upgraded Digital Assistant Brings Privacy Trade-Offs 2019-05-08 12:09:00Google unveiled a slew of new privacy features at its annual developer conference on Tuesday, but the internet giant also gave users new reasons to gi

TechCrunch » Enterprise

Cisco open sources MindMeld conversational AI platform 2019-05-09 19:45:01Cisco announced today that it was open-sourcing the MindMeld conversation AI platform, making it available to anyone who wants to use it under the Apa

AWS remains in firm control of the cloud 2019-05-09 16:10:14It has to be a bit depressing to be in the cloud infrastructure business if your name isn’t Amazon. Sure, there’s a huge, growing market,

Against the Slacklash 2019-05-09 15:08:08Such hate. Such dismay. “How Slack is ruining work.” “Actually, Slack really sucks.” “Slack may actually be hurting your

Docpack offers a simple, enterprise-friendly way to share 2019-05-09 12:27:39Docpack is offering businesses a simple way to share their documents — particularly with customers at large enterprises that may block services

Slack to live-stream pitch to shareholders on Monday 2019-05-08 16:35:07Slack will make its pitch to prospective shareholders on Monday at an invite-only event in New York City.

Steve Singh stepping down as Docker CEO 2019-05-08 10:00:10TechCrunch has learned that Docker CEO Steve Singh will be stepping down after two years at the helm, and former Hortonworks CEO Rob Bearden will be t

Sumo Logic announces $110M Series G investment on 2019-05-08 08:58:38Sumo Logic, a cloud data analytics and log analysis company, announced a $110 million Series G investment today. The company indicated that its valuat

Red Hat and Microsoft are cozying up some 2019-05-07 16:30:09It won’t be long before Red Hat becomes part of IBM, the result of the $34 billion acquisition last year that is still making its way to complet

Microsoft and GitHub grow closer 2019-05-06 11:30:19Microsoft’s $7.5 billion acquisition of GitHub closed last October. Today, at its annual Build developer conference, Microsoft announced a numbe

Microsoft wants you to work less 2019-05-06 11:30:14Microsoft today announced updates to its MyAnalytics platform and a new Outlook feature that are meant to help you work less, find more time to focus

Microsoft brings Plug and Play to IoT 2019-05-02 17:00:43Microsoft today announced that it wants to bring the ease of use of Plug and Play, which today allows you to plug virtually any peripheral into a Wind

Microsoft launches a fully managed blockchain service 2019-05-02 17:00:34Microsoft didn’t rush to bring blockchain technology to its Azure cloud computing platform, but over the course of the last year, it started to


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.