• Follow us

Internet

Bringing down the house - The risky choice of using in-house anonymisation

As the first anniversary of the application of the GDPR approaches, one hopes that organisations have become aware of their responsibilities as controllers of personal data. 

One critical area is the difficulty of carrying out anonymisation in-house which supervisory authorities have frequently stated falls short of the high threshold for anonymisation set by the European Data Protection Board.

In large enterprises, where data-driven insights inform business strategy, data controllers will often take on the responsibility for de-identifying their customer data with the aim of using the datasets for analytics unconstrained by the requirements of GDPR and other data protection laws.

The intent to preserve privacy is admirable, however the execution is frequently inadequate and, as such, those organisations may leave themselves exposed to regulatory action, fines and perhaps most crucially, reputational damage leading to a customer base that has lost trust and faith that the company treats them as valued customers, not as products.

The key concept to appreciate is that anonymised data falls outside the scope of “personal data” as defined in the GDPR.  So by anonymising customer datasets organisations can conduct analytics and not be constrained by data protection principles, such as limits on data collection, retention, purpose-based consent, the right to withdraw consent at any time and so on.

The difficulty with in-house anonymisation arises because internal processes are frequently flawed and organisations are not aware of the high standard of anonymisation that both the GDPR and the national supervisory authorities expect in order for personal data to be considered legally anonymised.

In order to establish if the level of anonymity is adequate, organisations need to objectively demonstrate that they have taken into account “all means reasonably likely” to be used by the controller or a third party to identify someone, directly or indirectly. This is a high threshold and difficult to achieve.

The risk of re-identification must be at an insignificant level, otherwise the process will be considered to have failed to anonymise the data and that organisation’s compliance failure is potentially extensive given the large number of data subjects whose personal data is in that case being processed unlawfully.

Pitfalls of in-house processes

The key problem with anonymisation that is conducted in-house is that the original data set is still retained by that organisation. Direct and indirect identifiers might be removed from ‘Customer Dataset A’ to create ‘Anonymised Dataset B’, however a dataset will be unlikely to be considered anonymised where a controller retains both the source data and the modified data. This is because when the original dataset in the hands of the organisation results in that company having the means to re-identify an individual in, or the entirety of, the dataset. 

On this, the Irish Data Protection Commission has explicitly stated in its guidance on “Anonymisation and Pseudonymisation” that “[i]f the source data is not deleted at the time of the anonymisation, the data controller who retains both the source data and anonymised data will normally be in a position to identify individuals from the anonymised data. In such cases, the anonymised data must still be considered to be personal data while in the hands of the data controller, unless the anonymisation process would prevent the singling out of an individual data subject, even to someone in possession of the source data”. The latter standard is both mathematically exceptionally difficult and almost impossible if any reasonable utility in the data is to be retained for analytics.

Neither is outsourcing analytics or anonymisation to a third party processor necessarily the solution. WP29 Opinion stated that where a data controller hands over part of a dataset without deleting the original identifiable data at event level, the resulting data set is still personal data and such data “would still qualify as personal data for any party, as long as the data controller (or any other party) still has access to the original raw data”. In any event the potential risk of re-identification remains when the analysed data is returned to the original controller unless consideration is taken of the re-identification risk in the analytic output. There is therefore a significant risk that in-house anonymisation or anonymisation conducted by a third party, where the company retains the original dataset, does not constitute adequate anonymisation within the terms of the GDPR or in the expectations of the supervisory authorities. 

Exposure to legal risks

While GDPR has certainly forced data controllers to raise their game in terms of data stewardship, there is still much work to be done by many organisations to meet the GDPR compliance requirements.  This is particularly the case in terms of organisations approach to achieving anonymisation.  There seems to be a lowest common denominator approach to a very technical and complex problem. Controllers have in the past relied on removing simple identifiers and were of the view that this would achieve anonymisation. It does not. 

Failure to successfully anonymise is not theoretical. There has been considerable coverage of high-profile examples such as the Massachusetts Group Insurance dataset, the Netflix Prize dataset and the AOL dataset, however it has also featured in European supervisory authority investigations. Investigating the personal data processing of Microsoft’s Windows 10, the Dutch Data Protection Authority concluded in 2017 that Microsoft did not clearly inform users about the type of data it used and for which purpose. It found that the data subject to aggregated analysis was not anonymous as Microsoft retained identifiable personal data in its cloud storage.

Inadequate anonymisation is a GDPR compliance “accident” waiting to happen for the many data controllers who think they have nullified customer consent requirements by deploying with anonymisation techniques.  The technical and organisational nuances to achieving the high threshold for anonymisation appear to be ignored. A failure to raise standards in accordance with the change in the law means supervisory authorities will start looking closer and investigations and regulatory action will inevitably follow.

André Thompson, privacy and ethics counsel, TrūataImage Credit: IT Pro Portal

Read More



Leave A Comment

More News

TechRadar: Internet news

The best 2-in-1 laptop 2019: find the best 2019-05-21 18:58:42Alongside the impressive HP Spectre x360 15T (2019), these are the best 2-in-1 laptops around.

Vizio’s budget V-Series will offer 4K and Dolby 2019-05-21 18:17:56Vizio’s stacked 2019 TV lineup includes a 3,000-nit TV and several ultra-budget Dolby Vision screens.

Apple now accepts 2018 MacBooks into its keyboard 2019-05-21 18:15:13Apple has expanded its keyboard repair program to cover all MacBooks with Butterfly keyboards.

Digital transformation could be causing security risk 2019-05-21 17:50:32A new report from Thales and IDC has shed light on a growing security gap among European businesses.

Google Pixelbook 2: what we want to see 2019-05-21 17:40:10Here’s everything we want to see from the Google Pixelbook 2

The best student laptops: all the best options 2019-05-21 17:07:31The best laptops for college students – everything from Chromebooks to the new Dell XPS 13.

Sharks vs Blues NHL live stream: how to 2019-05-21 17:03:33Who will get a shot at the Stanley Cup? We’ll show you how to live stream the NHL San Jose Sharks vs St. Louis Blues action from anywhere.

Why you should care about the 2019 VW 2019-05-21 16:04:13Far from taking control out of your hands, smart optimization could make tomorrow's cars a joy to drive.

DDoS attacks soar after long period of decline 2019-05-21 15:33:47New research from Kaspersky Lab has revealed that new DdoS-for-Hire websites have reignited cybercriminals' interest in DDoS attacks.

Honor 20 vs Honor 10 2019-05-21 15:26:42The Honor 20 is the brand's latest affordable flagship, but how different is it really to the Honor 10?

Huawei Android ban: Time for Honor to rise 2019-05-21 15:02:51Honor might be Huawei's secret weapon

Opera jumps into gaming with Opera GX browser 2019-05-21 14:59:15Opera has announced an upcoming 'gaming' browser called Opera GX, but specified no features.

Latest ITProPortal news

The need for next-generation data management: Six key 2019-05-22 05:00:46How to solve the challenges that the explosion of data will pose healthcare.

Micro conversions: Why marketers are taking small steps 2019-05-22 04:30:29The digital world has created a multitude of touch points, signals and clues for marketers to unlock.

The future of banking 2019-05-22 04:04:57Transformative business model evolution within financial services.

Avoiding the pitfalls of eCommerce replatforming 2019-05-22 04:00:16Here's how to carry out a successful eCommerce replatforming project.

What is Industry 4.0? Everything you need to 2019-05-21 10:44:19Industry 4.0 - what's new 22/04 - FEATURE - Andy Coussins/Epicor Software - Six skills need ...

UK businesses prioritise financial loss over consumer trust 2019-05-21 08:00:10Some risk is worth more than the other.

US "underestimates" Huawei, says company founder 2019-05-21 07:30:31Its 5G technology is something ‘no-one could catch up to’, apparently.

Isn’t email supposed to be dead? 2019-05-21 07:00:35One place email certainly isn’t headed? Extinction.

Drone makers could be the next Chinese firms 2019-05-21 07:00:28Any Chinese company that creates data could be at risk.

Sony picked Microsoft cloud deal after AWS talks 2019-05-21 06:30:14Sony and Amazon couldn't agree on pricing.

Google Glass 2 enterprise version launches 2019-05-21 06:00:14New edition will set you back $999.

Turning up the volume on voice commerce 2019-05-21 06:00:12How voice commerce will transform retail - and how.

Dev Pro

Google Glass Gets New Life on Factory Floor 2019-05-20 11:49:00Alphabet, along with Microsoft Corp. and a slew of startups, are bringing so-called wearables back as part of a push to make warehouses and manufactur

Google Pulls Android From Huawei, Deals Blow to 2019-05-19 22:11:00Alphabet Inc.’s Google will cut off the supply of hardware and some software services to Huawei. That will severely curtail the sale of Huawei s

Windows 10 (19H1) Build Tracker for PCs 2019-05-19 14:30:00We track the history of the development builds released for the 19H1 Feature Update for Windows 10 which will be the seventh overall for Microsoft's

DIY Open Source NAS: How to Install FreeNAS 2019-05-19 12:04:00Open source NAS isn’t appropriate for every use case, but it can be ideal for lab deployments, smaller workgroups or active archive data.

Migrating Office 365 in an M&A World 2019-05-17 17:25:00Date: Thursday, June 13, 2019 Time: 02:00 PM Eastern Daylight Time Duration: 1 hour With 1 in 5 organizations today using some or all of Office 365,

What’s New in Windows Server 2019? 2019-05-17 16:36:00Date: Tuesday, June 11, 2019 Time: 12:00 PM Eastern Daylight Time Duration: 1 hour Windows Server provides the foundation for most businesses IT infr

Video: Internet of Things World 2019 2019-05-17 15:30:00Internet of Things World ran this week in Santa Clara. This video series looks at the highlights from the three-day conference.

Turning Storage into Action: Uncover Business Value in 2019-05-17 14:28:00Date: Tuesday, June 25, 2019 Time: 12:00 PM Eastern Daylight Time Duration: 1 hour What’s the value of backup? Many IT pros – especially

Understand the end customer value of a Cohesity 2019-05-17 13:48:00Date: Tuesday, June 25, 2019 Time: 02:00 PM Eastern Daylight Time Duration: 1 hour Brought to you by The cloud era has shaped many industries an

HPE Agrees to Buy Supercomputer Maker Cray for 2019-05-17 12:29:00The deal will help HP Enterprise strengthen its position against International Business Machines Corp.

New in AI: Smarter Searches, More Languages Learned 2019-05-17 10:30:00Microsoft open-sources an algorithm to help AI perform better searches, while Amazon is teaching its AI how to switch languages in training exercises.

Windows Server vNext (19H1) Build Tracker 2019-05-17 04:35:00Microsoft has kicked off the development process for the next update to Windows Server under the code name 19H1 and as we have done in the past, we ar

TechCrunch » Enterprise

Robin picks up $20 million Series B to 2019-05-20 08:37:24Robin Powered, a startup looking to help offices run better, has today announced the close of a $20 million Series B funding. The round was led by Tol

Wagestream closes $51M Series A to plug the 2019-05-20 08:35:08Getting your work wages on a monthly (not weekly nor biweekly) basis has become a more widespread trend as the price of running payrolls has gone up,

Under the hood on Zoom’s IPO, with founder 2019-05-17 14:00:22Extra Crunch offers members the opportunity to tune into conference calls led and moderated by the TechCrunch writers you read every day. This week, T

HPE is buying Cray for $1.3 billion 2019-05-17 09:50:35HPE announced it was buying Cray for $1.3 billion, giving it access to the company’s high-performance computing portfolio, and perhaps a foothol

Health at Scale lands $16M Series A to 2019-05-17 09:00:53Health at Scale, a startup with founders who have both medical and engineering expertise, wants to bring machine learning to bear on healthcare treatm

Unveiling its latest cohort, Alchemist announces $4 million 2019-05-16 11:30:08The enterprise software and services-focused accelerator Alchemist has raised $4 million in fresh financing from investors BASF and the Qatar Developm

SugarCRM moves into marketing automation with Salesfusion acquisition 2019-05-16 10:06:35SugarCRM announced today that it has acquired Atlanta-based Salesfusion to help build out the marketing automation side of its business. The deal clos

OpenFin raises $17 million for its OS for 2019-05-16 09:01:51OpenFin, the company looking to provide the operating system for the financial services industry, has raised $17 million in funding through a Series C

VMware acquires Bitnami to deliver packaged applications anywhere 2019-05-15 12:52:01VMware announced today that it’s acquiring Bitnami, the package application company that was a member of the Y Combinator Winter 2013 class. The

Tealium, a big data platform for structuring disparate 2019-05-15 11:11:57The average enterprise today uses about 90 different software packages, with between 30-40 of them touching customers directly or indirectly. The data

Solo.io wants to bring order to service meshes 2019-05-15 11:05:07As containers and microservices have proliferated, a new kind of tool called the service mesh has developed to help manage and understand interactions

Egnyte brings native G Suite file support to 2019-05-15 09:10:55Egnyte announced today that customers can now store G Suite files inside its storage, security and governance platform. This builds on the support the

Next INpact – Actualités

⭐ #LeBrief : scission Facebook, Pixel 3a démonté, 2019-05-10 03:53:37C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

⭐ Le récap' des bons plans du moment, 2019-05-08 07:37:29Cette semaine, Next-INpact fête ses 16 ans, entre deux parts de gâteau, l'équipe s'est occupée de l'automatisation d

Bilan Q1 et Odyssée 2024 de Free : 2019-05-07 04:14:07Au premier trimestre, les revenus d'Iliad augmentent doucement, tandis que le nombre d'abonnés est encore en baisse. Après avoir&

⭐ #LeBrief : failles critiques Cisco, comparateur d'auto-écoles, noyau 2019-05-06 03:56:36C'est l'heure de #LeBrief, notre bilan de l'actualité dans le domaine des nouvelles technologies. Il contient toutes les informati

Monaco Extended, le virage numérique du Rocher 2019-05-03 08:46:04L'État ville étriqué sur une superficie riquiqui a décidé de passer à la vitesse supérieure sur le t

Vie privée, chiffrement, Messenger léger, groupes, achats en 2019-05-02 11:47:492019, Mark Zuckerberg se présente désormais comme un grand défenseur de la vie privée avec quelques promesses à la

⚡ Service Mon activité : Google permet enfin 2019-05-02 02:00:50Attendue depuis des années, la fonctionnalité permettant de demander la suppression automatique des données que Google réc

⭐ Le récap' des bons plans du moment, 2019-05-01 07:37:00Cette semaine, nous vous avons fait découvrir Chocolatey un logiciel permettant de gérer vos logiciels et vos mises à jour, 

« Carte d’identité de l’accès » : les 2019-04-29 10:41:14Le régulateur des télécoms veut que les box des FAI de plus d'un million d'abonnés disposent d'une API permettant

⚡ Docker Hub piraté : des « données sensibles » de 190 2019-04-29 02:18:08Docker a été piraté jeudi dernier. Les noms d'utilisateur, empreintes de mots de passe et jetons d'authenti


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.