Businesses wishing to store or manage data in any way are now subject to very strict control thanks to the GDPR, it being the most comprehensive overhaul of privacy legislation in EU history. It has a far-reaching impact on all businesses and industries, from banks and hospitals to corner shops and fitness centres, all of which must ensure their businesses are as according to GDPR Compliance.
There are many ways to protect not only your customers, employees, and any third party private information you hold, but also your business from huge penalties.
- Pseudonymisation is the replacement of identifiable data such as names and addresses, dates of birth with other data which, although looks similar, does not reveal personal information about a real individual.
- Pseudonymisation is very helpful to organisations who wish to collect data for surveys and statistics but not specific information about individuals and preventing such organisations from falling foul of the GDPR.
Banks are utilising this concept aptly. A good example is Dutch bank Rabobank which accuartly utilise the pseudonymisation to develop a modern payment system using IBM’s cryptography software called “High Assurance Desensitisation Engine”, (The very name of the piece of software should bring peace of mind to organisations who wish to cherish the data of its customers).
In this way, the collection of essential data such as names, dates of births and account numbers using the pseudonymisation method to build payment forms enabled the bank to transform its existing software rather than make new software. IBM’s software works by replacing data with strings of numbers and letters with keys and hashes that behave in a similar way to the original data when running through the bank’s original software.
The Bank holds the only key to the original data, which can be used to regenerate the original data from the hash but is never seen by anyone outside the bank.
Pseudonymisation is a tool that allows companies to process data in such a way that ensure they comply with the GDPR and free them from otherwise strict privacy restrictions that previously would have disallowed the method of data use.
Truata, a financial trust company set up by IBM and Mastercard acts as a conduit for third-party businesses who wish to analyse and establish that they conform to GDPR compliance
A survey report by Solix has revealed that less than 50% of firms cannot assure that they were GDPR Compliant before May 25th 2018. With data being an integral component of most businesses and the key to successful marketing and advertising, it is essential that there is an element of control, more so than mere ad blockers!
Truata, therefore, has set itself up as an independent compliance analytical provision entity and is receiving some interest from mainly larger companies. The way in which it works for clients is that an online company may pass its customer list to Truata, firstly anonymising the list using IBM technology so that the list may then be stored and analysed by Truata.
There are many options with regards analytical reporting of the data, including Truata analytical front-end tools or an interface, which allows the client to carry out the analytics themselves. Other options include requesting algorithms or model codes to be used alongside the client’s tools for analysing data.
There have been speculations about moving data outside the parameters of an organisation, thus risking privacy breaches, and the very antithesis of the GDPR, but IBM is keen to expel these reactions by emphasising that the trust acts with utmost security in mind and stresses that it conforms to the guidelines set down by the Article 29 Working Party.
A tool named pseudonymisation allows companies to process data in such a way that ensure they comply with the GDPR and free them from otherwise strict privacy restrictions that previously would have disallowed the method of data use.
- Data-at-Rest, including data in storage, archives, reference files, files stored on hard drives, servers, storage area networks, or files on backup service providers that are off-site. Encryption would need to apply to all access and control, wherever the data is held.
- Data-in-Motion, including email or any types of transportation of data, encryption is necessary to that all data that traverses across different networks is heavily protected preventing data from being heard, seen, or intercepted.
- In addition to protection by encryption, there has to be in place a strong element of management to protect not just the encrypted data, but to prevent any unauthorised retention of data in line with the individual’s legal rights to have data completely erased and “forgotten.”
- Businesses will also be required to substantiate the legitimate identity and activity of an individual and verify that the organisation has strict security controls in place in line with the GDPR Compliance management requirements.
Articles 5, 25 and 32 of the GDPR clarify that only authorised users may access data and only when appropriate. For GDPR Compliance, it is expected that businesses to be entirely in control of any data that is held or processed and that the data is accurate.
Businesses are urged to ensure that data is maintained in an illegible state, and encryption is one way to ensure this. The GDPR Compliance requirements can be met by this simple method of control, which prevents identifying individuals through data. Also, the manipulation of data is prevented by encryption when properly used.
Further security methods recommended for GDPR Compliance for your organisation is that of the “multi-factor authentication” method, or “MFA”. Already very popular with applications such as Facebook and Google, and is sometimes referred to as the “two-step verification”. Proponents of this MFA method of identification argue that by doing away with only password verification, online fraud and identity theft is greatly reduced. There is no denying that MFA is far more superior when it comes to security.
However, some companies do not like the fact that it may be deemed as an arduous burden from the end user albeit there are flexible and adaptable solutions such as biometric authentication methods, which do not compromise business activities.
Biometric authentication entitles an individual’s identity to be authenticated based on specific data unique to that individual. It is estimated that almost 90% of firms will be using biometrics by 2020, according to a recent survey by Spiceworks.
The new trend in this ever increasing and sophisticated method of authenticating individuals has caused some controversy, especially in line with the recent launch of Apple iPhone X’s facial recognition functionality. Fundamentally, the question being asked is “Who are you?”
The question then begs, “How will such sensitive and private data be protected”? As such, the GDPR has brought even stringent protection of biometric data. Due to its infancy and palpable future advancement, the GDPR has provided a definition that will cover all eventualities for compliance. By defining biometrics in as broad a sense as possible, they are ensuring that this type of data is subject to stringent data processing control and impact assessment control for now and in the future.
After all, the data is very personal; it involves a
- A photo of a face
- A record of a voice
- An image of a fingerprint
This will be compared to the biometric data of a multitude other individuals stored in a database. Very sensitive indeed!
A further category of biometrics is data taken from the collection behaviour rather than physiological. Behaviour data collecting is narrower regarding logistics, as “behaviour” is not usually unique to one person, and could be attributed to many people such as certain gaits, lip motion, typing/keystroke motion.
A simple and informative list of types of biometric types can be found in this interesting article by Biometrics Today
Any organisations actively using such physiological or behavioural biometric data should look carefully and define exactly what data is being processed and to what end. It is important to be proactive and take necessary precautions by putting into place measures to ensure that such processing is justified and that relevant consent and contracts are correctly in place.
Subsequently, any organisation actively or contemplating processing biometric data will need to keep abreast of developments in the future of biometric data to ensure they are up to date in this rapidly developing field of technology. Due to the extreme sensitivity of such data, to ensure ongoing GDPR Compliance, the GDPR has introduced the necessity for data controllers to carry out mandatory and continual privacy impact assessments, to ensure that there is no privacy risk at all to these individuals whose data is held.
This is pertinent for organisations who are continually developing new technologies alongside the use of biometric data. Also where biometric data is collected and used on a large scale and/or in public settings such as the retail or fitness sector where facial recognition is becoming more commonly used. In such circumstances, data controllers will be required to be fully aware of the data processing risks involved and be able to implement tailored measures to ensure any risks are mitigated to the absolute bare minimum.
Showing integrity as a business is important under the GDPR, but also your customers, employees and any other third party data that you hold will be confident that your organisation is doing its utmost to protect and cherish the data that you hold on their behalf. For this very reason, the GDPR Compliance is an essential part of your business for the foreseeable future. Get your processes and approaches right now, and everyone benefits, it is important not to “wait and see what happens”.
If your business is not GDPR Compliant, contact GDPR Compliance experts like Seers, who have a team of consultants who can help your business immediately and ensure you comply fully.